CVE-2017-20205 (CNNVD-202510-2274)
中文标题:
Source SDK 安全漏洞
英文标题:
Valve Source SDK Stack-Based Buffer Overflow RCE
漏洞描述
中文描述:
Source SDK是Valve Software开源的一个电脑游戏。 Source SDK存在安全漏洞,该漏洞源于ragdoll模型解析逻辑中存在基于栈的缓冲区溢出,可能导致远程代码执行。
英文描述:
Valve's Source SDK (source-sdk-2013)'s ragdoll model parsing logic contains a stack-based buffer overflow vulnerability.The tokenizer function `nexttoken` copies characters from an input string into a fixed-size stack buffer without performing bounds checks. When `ParseKeyValue` processes a collisionpair rule longer than the destination buffer (256 bytes), an overflow of the stack buffer `szToken` can occur and overwrite the function return address. A remote attacker can trigger the vulnerable code by supplying a specially crafted ragdoll model which causes the oversized collisionpair rule to be parsed, resulting in remote code execution on affected clients or servers. Valve has addressed this issue in many of their Source games, but independently-developed games must manually apply patch.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| Valve Software | Source SDK (source-sdk-2013) | source-sdk-2013 | - | - |
cpe:2.3:a:valve_software:source_sdk_(source-sdk-2013):source-sdk-2013:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
4.0 (cna)
CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2017-20205 |
2025-11-11 15:19:25 | 2025-11-11 07:34:44 |
| NVD | nvd_CVE-2017-20205 |
2025-11-11 14:55:40 | 2025-11-11 07:43:22 |
| CNNVD | cnnvd_CNNVD-202510-2274 |
2025-11-11 15:12:59 | 2025-11-11 08:00:17 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 其他
- cnnvd_id: 未提取 -> CNNVD-202510-2274
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']