Vulnerability ID 4974

Id Software Quake 3 Engine UDP Request Parser getstatus denial of service

CVSSv3 Temp ScoreCurrent Exploit Price (≈)

A vulnerability was found in Id Software Quake 3 Engine (the affected version is unknown). It has been classified as critical. Affected is the function getstatus of the component UDP Request Parser. The manipulation with an unknown input leads to a denial of service vulnerability (crash). This is going to have an impact on availability.

The weakness was shared 01/03/2010. The advisory is shared for download at This vulnerability is traded as CVE-2010-5077 since 12/19/2011. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details and a public exploit are known.

The vulnerability scanner Nessus provides a plugin with the ID 58784 (Fedora 17 : tremulous-1.2.0-0.5.beta1.fc17 (2012-5371)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Fedora Local Security Checks and running in the context local.

Upgrading eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The vulnerability is also documented in the databases at SecurityFocus (BID 52719), X-Force (74343), Secunia (SA48594) and Vulnerability Center (SBV-38728). The entries 3365 are pretty similar.


Base Score: 7.5 [?]
Temp Score: 6.5 [?]
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C [?]
Reliability: High


Base Score: 7.8 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C) [?]
Temp Score: 5.8 (CVSS2#E:U/RL:OF/RC:C) [?]
Reliability: High




Class: Denial of service (CWE-20)
Local: No
Remote: Yes

Availability: No
Access: Public
Status: Unproven

Current Price Estimation: $1k-$2k (0-day) / $0-$1k (Today)


Nessus ID: 58784
Nessus Name: Fedora 17 : tremulous-1.2.0-0.5.beta1.fc17 (2012-5371)
Nessus File: debian_DSA-2442.nasl
Nessus Family: Fedora Local Security Checks
Nessus Context: local
Nessus Port: 0
OpenVAS ID: 71245
OpenVAS Name: Debian Security Advisory DSA 2442-1 (openarena)
OpenVAS File: deb_2442_1.nasl
OpenVAS Family: Debian Local Security Checks


Recommended: Upgrade
Status: Official fix
Reaction Time: 0 days since reported
0-Day Time: 0 days since found
Exposure Time: 0 days since known



01/03/2010 Advisory disclosed
01/03/2010 +0 days Countermeasure disclosed
12/19/2011 +715 days CVE assigned
03/26/2012 +98 days SecurityFocus entry assigned
03/26/2012 +0 days VulnerabilityCenter entry assigned
03/29/2012 +3 days OSVDB entry created
04/02/2012 +4 days VulDB entry created
04/19/2012 +17 days Nessus plugin released
03/12/2013 +327 days VulnerabilityCenter entry created
10/27/2014 +594 days NVD disclosed
10/29/2014 +2 days VulnerabilityCenter entry updated
07/08/2015 +252 days VulDB last update


Status: Confirmed

CVE: CVE-2010-5077 ( ( (

SecurityFocus: 52719 - ioQuake3 Engine Multiple Remote Denial of Service Vulnerabilities
Secunia: 48594 - Debian update for openarena, Not Critical
X-Force: 74343 - ioQuake3 Engine multiple denial of service, Medium Risk
Vulnerability Center: 38728 - ID Software Quake3 Engine Based Games Remote UDP DoS, High
OSVDB: 80644 - Quake 3 Engine getstatus UDP Request Parsing Remote DoS

See also: 3365


Created: 04/02/2012
Updated: 07/08/2015
Entry: 93.4% complete