Deserialization of untrusted data

2019-12-3018:15:00

PRIOn knowledge base

www.prio-n.com

7.8 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

12.9%

JSON

Unsafe usage of .NET deserialization in Named Pipe message processing allows privilege escalation to NT AUTHORITY\SYSTEM for a local attacker. Affected product is TinyWall, all versions up to and including 2.1.12. Fixed in version 2.1.13.

CPENameOperatorVersion
tinywalllt2.1.13

CPE	Name	Operator	Version
	tinywall	lt	2.1.13

References

gist.github.com/pylorak/7df52c9325614676e07782dbe4e81582

www.wilderssecurity.com/threads/beta-testing-tinywall.309739/page-62