CVE-2023-46814

2023-11-2205:15:07

Debian Security Bug Tracker

security-tracker.debian.org

cve-2023-46814

videolan

windows

uninstaller

elevated privileges

arbitrary code execution

system

unix

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

5.1%

JSON

A binary hijacking vulnerability exists within the VideoLAN VLC media player before 3.0.19 on Windows. The uninstaller attempts to execute code with elevated privileges out of a standard user writable location. Standard users may use this to gain arbitrary code execution as SYSTEM.

OSVersionArchitecturePackageVersionFilename
Debian12allvlc< 3.0.21-0+deb12u1vlc_3.0.21-0+deb12u1_all.deb
Debian11allvlc< 3.0.21-0+deb11u1vlc_3.0.21-0+deb11u1_all.deb
Debian999allvlc< 3.0.21-1vlc_3.0.21-1_all.deb
Debian13allvlc< 3.0.21-1vlc_3.0.21-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	vlc	< 3.0.21-0+deb12u1	vlc_3.0.21-0+deb12u1_all.deb
Debian	11	all	vlc	< 3.0.21-0+deb11u1	vlc_3.0.21-0+deb11u1_all.deb
Debian	999	all	vlc	< 3.0.21-1	vlc_3.0.21-1_all.deb
Debian	13	all	vlc	< 3.0.21-1	vlc_3.0.21-1_all.deb