VDB
CVE-2011-3012
CVE-2011-3012
PUBLISHED
The ioQuake3 engine, as used in World of Padman 1.2 and earlier, Tremulous 1.1.0, and ioUrbanTerror 2007-12-20, does not check for dangerous file extensions before writing to the quake3 directory, which allows remote attackers to execute arbitrary code via a crafted third-party addon that creates a Trojan horse DLL file, a different vulnerability than CVE-2011-2764.
EPSS 8.15% · 92.3th percentile
Risk Scores
EPSS Score
8.15%
92.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | ioquake3 | 1.36+u20170803+dfsg1-1, 1.36+u20171016~dfsg-1, 1.36+u20171122~dfsg-1 |
| Ubuntu:20.04:LTS | ioquake3 | 0, 1.36+u20190529.350b8f9~dfsg-2, * |
| Ubuntu:25.10 | ioquake3 | 0, 1.36+u20241011.cc18246+dfsg-1, 1.36+u20250316.526edd3+dfsg-1 |
| Ubuntu:24.04:LTS | ioquake3 | 1.36+u20240217.7d711f8+dfsg-1build1, 1.36+u20240217.7d711f8+dfsg-1, 1.36+u20230706.10a45cb+dfsg-1 |
| Ubuntu:16.04:LTS | ioquake3 | *, 0, 1.36+u20151017+dfsg1-1 |
| Ubuntu:22.04:LTS | ioquake3 | 0, 1.36+u20220205.c0f2964~dfsg-1, 1.36+u20211208.84daa28~dfsg-1 |
Exploit Intelligence
- http://archives.neohapsis.com/archives/fulldisclosure/2011-07/0338.html (nist-nvd)
- ioquake-gamecode-code-execution(68870) (circl)
- https://bugzilla.redhat.com/show_bug.cgi?id=725951 (circl)
- ioquake-file-extensions-code-execution(69164) (circl)
- 48915 (circl)
- 20110728 Two security issues fixed in ioQuake3 engine (circl)
- 8324 (circl)
- GLSA-201706-23 (circl)
Timeline
- Aug 9, 2011 CVE Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Feb 9, 2023 EPSS Score
- Apr 2, 2023 EPSS Score
- Jul 17, 2023 EPSS Score
- Aug 28, 2023 EPSS Score
- Sep 7, 2023 EPSS Score
- Dec 22, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2011-3012 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2011-3012 third-party-advisory