Vulnerability Description
Tencent GameLoop before 4.1.21.90 downloaded updates over an insecure HTTP connection. A malicious attacker in an MITM position could spoof the contents of an XML document describing an update package, replacing a download URL with one pointing to an arbitrary Windows executable. Because the only integrity check would be a comparison of the downloaded file's MD5 checksum to the one contained within the XML document, the downloaded executable would then be executed on the victim's machine.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tencent | Gameloop | < 4.1.21.90 |
Related Weaknesses (CWE)
References
- https://github.com/mmiszczyk/cve-2021-33879ExploitThird Party Advisory
- https://www.gameloop.comVendor Advisory
- https://github.com/mmiszczyk/cve-2021-33879ExploitThird Party Advisory
- https://www.gameloop.comVendor Advisory
FAQ
What is CVE-2021-33879?
CVE-2021-33879 is a vulnerability with a CVSS score of 8.1 (HIGH). Tencent GameLoop before 4.1.21.90 downloaded updates over an insecure HTTP connection. A malicious attacker in an MITM position could spoof the contents of an XML document describing an update package...
How severe is CVE-2021-33879?
CVE-2021-33879 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-33879?
Check the references section above for vendor advisories and patch information. Affected products include: Tencent Gameloop.