{"containers":{"cna":{"affected":[{"product":"Rufus","vendor":"Akeo Consulting","versions":[{"status":"affected","version":"prior to 2.17.1187"}]}],"credits":[{"lang":"en","value":"Reported by Will Dormann of the CERT/CC"}],"datePublic":"2017-08-28T00:00:00.000Z","descriptions":[{"lang":"en","value":"Akeo Consulting Rufus prior to version 2.17.1187 does not adequately validate the integrity of updates downloaded over HTTP, allowing an attacker to easily convince a user to execute arbitrary code"}],"metrics":[{"cvssV3_0":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N","version":"3.0"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-295","description":"CWE-295: Improper Certificate Validation","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-494","description":"CWE-494: Download of Code Without Integrity Check","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-345","description":"CWE-345: Insufficient Verification of Data Authenticity","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-347","description":"CWE-347: Improper Verification of Cryptographic Signature","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2017-10-19T09:57:01.000Z","orgId":"37e5125f-f79b-445b-8fad-9564f167944b","shortName":"certcc"},"references":[{"name":"VU#403768","tags":["third-party-advisory","x_refsource_CERT-VN"],"url":"http://www.kb.cert.org/vuls/id/403768"},{"tags":["x_refsource_CONFIRM"],"url":"https://github.com/pbatard/rufus/issues/1009"},{"name":"100516","tags":["vdb-entry","x_refsource_BID"],"url":"http://www.securityfocus.com/bid/100516"},{"tags":["x_refsource_CONFIRM"],"url":"https://github.com/pbatard/rufus/commit/c3c39f7f8a11f612c4ebf7affce25ec6928eb1cb"}],"workarounds":[{"lang":"en","value":"Manually download updates from https://rufus.akeo.ie/"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cert@cert.org","ID":"CVE-2017-13083","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Rufus","version":{"version_data":[{"platform":"","version_value":"prior to 2.17.1187"}]}}]},"vendor_name":"Akeo Consulting"}]}},"configuration":[],"credit":["Reported by Will Dormann of the CERT/CC"],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Akeo Consulting Rufus prior to version 2.17.1187 does not adequately validate the integrity of updates downloaded over HTTP, allowing an attacker to easily convince a user to execute arbitrary code"}]},"exploit":"","impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N","version":"3.0"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-295: Improper Certificate Validation"}]},{"description":[{"lang":"eng","value":"CWE-494: Download of Code Without Integrity Check"}]},{"description":[{"lang":"eng","value":"CWE-345: Insufficient Verification of Data Authenticity"}]},{"description":[{"lang":"eng","value":"CWE-347: Improper Verification of Cryptographic Signature"}]}]},"references":{"reference_data":[{"name":"VU#403768","refsource":"CERT-VN","url":"http://www.kb.cert.org/vuls/id/403768"},{"name":"https://github.com/pbatard/rufus/issues/1009","refsource":"CONFIRM","url":"https://github.com/pbatard/rufus/issues/1009"},{"name":"100516","refsource":"BID","url":"http://www.securityfocus.com/bid/100516"},{"name":"https://github.com/pbatard/rufus/commit/c3c39f7f8a11f612c4ebf7affce25ec6928eb1cb","refsource":"CONFIRM","url":"https://github.com/pbatard/rufus/commit/c3c39f7f8a11f612c4ebf7affce25ec6928eb1cb"}]},"solution":"Upgrade to Akeo Consulting Rufus version 2.17.1187 or later","work_around":[{"lang":"en","value":"Manually download updates from https://rufus.akeo.ie/"}]}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-05T18:58:12.360Z"},"title":"CVE Program Container","references":[{"name":"VU#403768","tags":["third-party-advisory","x_refsource_CERT-VN","x_transferred"],"url":"http://www.kb.cert.org/vuls/id/403768"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/pbatard/rufus/issues/1009"},{"name":"100516","tags":["vdb-entry","x_refsource_BID","x_transferred"],"url":"http://www.securityfocus.com/bid/100516"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/pbatard/rufus/commit/c3c39f7f8a11f612c4ebf7affce25ec6928eb1cb"}]}]},"cveMetadata":{"assignerOrgId":"37e5125f-f79b-445b-8fad-9564f167944b","assignerShortName":"certcc","cveId":"CVE-2017-13083","datePublished":"2017-10-18T13:00:00.000Z","dateReserved":"2017-08-22T00:00:00.000Z","dateUpdated":"2024-08-05T18:58:12.360Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}