CVE Vulnerability

CVE-2021-21292

Traccar is an open source GPS tracking system. In Traccar before version 4.12 there is an unquoted Windows binary path vulnerability. Only Windows versions are impacted. Attacker needs write access to the filesystem on the host machine. If Java path includes a space, then attacker can lift their privilege to the same as Traccar service (system). This is fixed in version 4.12.

1.9 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 3.4 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Scope

6.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://www.traccar.org/ Product
https://github.com/traccar/traccar/security/advisories/GHSA-j75r-7qm5-62q5 Third Party Advisory
https://github.com/traccar/traccar/commit/cc69a9907ac9878db3750aa14ffedb28626455da Patch Third Party Advisory
Configurations

Configuration 1
Information

Published : 2021-02-02 08:15

Updated : 2021-02-08 06:37

NVD link : CVE-2021-21292

Mitre link : CVE-2021-21292

Products Affected
No products.
CWE
CWE-428