CVE-2015-5070
low-risk
Published 2017-09-26
The (1) filesystem::get_wml_location function in filesystem.cpp and (2) is_legal_file function in filesystem_boost.cpp in Battle for Wesnoth before 1.12.4 and 1.13.x before 1.13.1, when a case-insensitive filesystem is used, allow remote attackers to obtain sensitive information via vectors related to inclusion of .pbl files from WML. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-5069.
Do I need to act?
-
0.67% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.1/10
Low
NETWORK
/ HIGH complexity
Affected Vendors
References (18)
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161722.html
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161752.html
Third Party Advisory
http://www.securityfocus.com/bid/75425
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=1236010
Release Notes
https://github.com/wesnoth/wesnoth/releases/tag/1.12.4
Release Notes
https://github.com/wesnoth/wesnoth/releases/tag/1.13.1
Broken Link
https://gna.org/bugs/?23504
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161722.html
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161752.html
Third Party Advisory
http://www.securityfocus.com/bid/75425
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=1236010
Release Notes
https://github.com/wesnoth/wesnoth/releases/tag/1.12.4
Release Notes
https://github.com/wesnoth/wesnoth/releases/tag/1.13.1
Broken Link
https://gna.org/bugs/?23504
23
/ 100
low-risk
Severity
11/34 · Low
Exploitability
2/34 · Minimal
Exposure
10/34 · Low