CVE-2017-9833

NameCVE-2017-9833
Description/cgi-bin/wapopen in Boa 0.94.14rc21 allows the injection of "../.." using the FILECAMERA variable (sent by GET) to read files with root privileges. NOTE: multiple third parties report that this is a system-integrator issue (e.g., a vulnerability on one type of camera) because Boa does not include any wapopen program or any code to read a FILECAMERA variable.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Notes

NOT-FOR-US: Undetermined product
/wapopen is not part of BOA, it's probably an insecure CGI
script used in some embedded product relying on BOA as webserver.
I asked Mitre to reject the CVE. -- Raphael Hertzog
Search for package or bug name: Reporting problems