Lucene search

GitHub_MCVE-2023-37907

HistoryJul 25, 2023 - 9:15 p.m.

CVE-2023-37907

2023-07-2521:15:10

CWE-269

GitHub_M

web.nvd.nist.gov

cryptomator

data encryption

software

cloud

cve-2023-37907

security vulnerability

local privilege escalation

lpe

msi installer

nvd

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.5

Confidence

High

EPSS

Percentile

5.1%

JSON

Cryptomator is data encryption software for users who store their files in the cloud. Prior to version 1.9.2, the MSI installer provided on the homepage allows local privilege escalation (LPE) for low privileged users, if already installed. The problem occurs as the repair function of the MSI spawns two administrative CMDs. A simple LPE is possible via a breakout. Version 1.9.2 fixes this issue.

Affected configurations

Nvd

Node

cryptomatorcryptomatorRange<1.9.2

VendorProductVersionCPE
cryptomatorcryptomator*cpe:2.3:a:cryptomator:cryptomator:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cryptomator	cryptomator	*	cpe:2.3:a:cryptomator:cryptomator::::::::

CNA Affected

[
  {
    "vendor": "cryptomator",
    "product": "cryptomator",
    "versions": [
      {
        "version": "1.9.2",
        "status": "affected"
      }
    ]
  }
]

References

github.com/cryptomator/cryptomator/commit/b48ebd524b1626bf12ac98e35a7670b868fa208c

github.com/cryptomator/cryptomator/releases/tag/1.9.2

github.com/cryptomator/cryptomator/security/advisories/GHSA-9c9p-c3mg-hpjq

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.5

Confidence

High

EPSS

Percentile

5.1%

JSON

Related for CVE-2023-37907