Lucene search

MitreCVE-2019-12162

HistoryJul 23, 2019 - 3:15 p.m.

CVE-2019-12162

2019-07-2315:15:11

CWE-494

mitre

web.nvd.nist.gov

upwork time tracker

cve-2019-12162

sha256

code execution

local privilege escalation

security vulnerability

nvd

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

5.1%

JSON

Upwork Time Tracker 5.2.2.716 doesn’t verify the SHA256 hash of the downloaded program update before running it, which could lead to code execution or local privilege escalation by replacing the original update.exe.

Affected configurations

Nvd

Node

upworktime_trackerMatch5.2.2.716

VendorProductVersionCPE
upworktime_tracker5.2.2.716cpe:2.3:a:upwork:time_tracker:5.2.2.716:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
upwork	time_tracker	5.2.2.716	cpe:2.3:a:upwork:time_tracker:5.2.2.716:::::::*

References

support.upwork.com/hc/en-us/categories/360001180954

vuldb.com/?id.138406

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

5.1%

JSON

Related for CVE-2019-12162