Vulnerability Details CVE-2020-5209
In NetHack before 3.6.5, unknown options starting with -de and -i can cause a buffer overflow resulting in a crash or remote code execution/privilege escalation. This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to influence command line options. Users should upgrade to NetHack 3.6.5.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.017
EPSS Ranking 81.5%
CVSS Severity
CVSS v3 Score 5.0
CVSS v2 Score 4.6
References
- https://github.com/NetHack/NetHack/commit/f3def5c0b999478da2d0a8f0b6a7c370a2065f77
- https://github.com/NetHack/NetHack/security/advisories/GHSA-fw72-r8xm-45p8
- https://github.com/NetHack/NetHack/commit/f3def5c0b999478da2d0a8f0b6a7c370a2065f77
- https://github.com/NetHack/NetHack/security/advisories/GHSA-fw72-r8xm-45p8
Products affected by CVE-2020-5209
-
cpe:2.3:a:nethack:nethack:3.2.2
-
cpe:2.3:a:nethack:nethack:3.2.3
-
cpe:2.3:a:nethack:nethack:3.3.0
-
cpe:2.3:a:nethack:nethack:3.4.0
-
cpe:2.3:a:nethack:nethack:3.4.1
-
cpe:2.3:a:nethack:nethack:3.4.2
-
cpe:2.3:a:nethack:nethack:3.4.3
-
cpe:2.3:a:nethack:nethack:3.4.4
-
cpe:2.3:a:nethack:nethack:3.5.0
-
cpe:2.3:a:nethack:nethack:3.6.0
-
cpe:2.3:a:nethack:nethack:3.6.1
-
cpe:2.3:a:nethack:nethack:3.6.2
-
cpe:2.3:a:nethack:nethack:3.6.3
-
cpe:2.3:a:nethack:nethack:3.6.4