← Advisories

Epic Games Psyonix Rocket League <=1.95 Insecure Permissions

Medium

Advisory ID

ZSL-2021-5650

Release Date

30 April 2021

Vendor

Epic Games Inc. - https://www.epicgames.com, https://www.rocketleague.com, Psyonix, LLC - https://www.psyonix.com

Affected Version

<=1.95

CVE

CVE-2021-47742

Tested On

Microsoft Windows 10

Summary

Rocket League is a high-powered hybrid of arcade-style soccer and vehicular mayhem with easy-to-understand controls and fluid, physics-driven competition.

Description

The application suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Authenticated Users' group.

Proof of Concept

rocketleague_perms.txtTXT

Disclosure Timeline

20.04.2021Vulnerability discovered.

26.04.2021Vendor contacted.

30.04.2021HackerOne states not valid.

30.04.2021Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://packetstormsecurity.com/files/162435

[2]https://exchange.xforce.ibmcloud.com/vulnerabilities/201128

[3]https://www.cve.org/CVERecord?id=CVE-2021-47742

Changelog

30.04.2021Initial release

04.05.2021Added reference [1] and [2]

23.03.2026Added reference [3]