Improper Input Validation Affecting ioquake3 package, versions <1.36+svn1946-4


Severity

Recommended
0.0
critical
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
6.85% (94th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Input Validation vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DEBIAN11-IOQUAKE3-518436
  • published9 Aug 2011
  • disclosed9 Aug 2011

Introduced: 9 Aug 2011

CVE-2011-3012  (opens in a new tab)
CWE-20  (opens in a new tab)

How to fix?

Upgrade Debian:11 ioquake3 to version 1.36+svn1946-4 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream ioquake3 package and not the ioquake3 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

The ioQuake3 engine, as used in World of Padman 1.2 and earlier, Tremulous 1.1.0, and ioUrbanTerror 2007-12-20, does not check for dangerous file extensions before writing to the quake3 directory, which allows remote attackers to execute arbitrary code via a crafted third-party addon that creates a Trojan horse DLL file, a different vulnerability than CVE-2011-2764.

CVSS Scores

version 3.1