Lucene search

K
cvelistZscalerCVELIST:CVE-2023-41973
HistoryMar 26, 2024 - 2:19 p.m.

CVE-2023-41973 Lack of input santization on Zscaler Client Connector enables arbitrary code execution

2024-03-2614:19:13
CWE-22
Zscaler
www.cve.org
zscaler client connector
input santization
arbitrary code execution
win zapp 4.3.0.121

7.3 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

0.0004 Low

EPSS

Percentile

10.5%

ZSATray passes the previousInstallerName as a config parameter to TrayManager, and TrayManager constructs the path and appends previousInstallerName to get the full path of the exe. Fixed Version: Win ZApp 4.3.0.121 and later.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Windows"
    ],
    "product": "Client Connector",
    "vendor": "Zscaler",
    "versions": [
      {
        "lessThan": "4.3.0.121",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

7.3 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

0.0004 Low

EPSS

Percentile

10.5%

Related for CVELIST:CVE-2023-41973