Lucene search

[email protected]NVD:CVE-2020-24356

HistoryOct 02, 2020 - 3:15 p.m.

CVE-2020-24356

2020-10-0215:15:12

CWE-427

[email protected]

web.nvd.nist.gov

cve-2020-24356

cloudflared

local privilege escalation

windows

configuration files

malicious entity

executing commands

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

5.1%

JSON

cloudflared versions prior to 2020.8.1 contain a local privilege escalation vulnerability on Windows systems. When run on a Windows system, cloudflared searches for configuration files which could be abused by a malicious entity to execute commands as a privileged user. Version 2020.8.1 fixes this issue.

Affected configurations

Nvd

Node

cloudflarecloudflaredRange<2020.8.1

VendorProductVersionCPE
cloudflarecloudflared*cpe:2.3:a:cloudflare:cloudflared:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cloudflare	cloudflared	*	cpe:2.3:a:cloudflare:cloudflared::::::::

References

github.com/cloudflare/cloudflared/security/advisories/GHSA-hgwp-4vp4-qmm2

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

5.1%

JSON

Related for NVD:CVE-2020-24356

cvelist1 osv3 cve1 veracode1 github1 prion1