Lucene search

PentrazeVULNRICHMENT:CVE-2024-7062

HistoryJul 26, 2024 - 11:26 a.m.

CVE-2024-7062 Local Privilege Escalation in Nimble Commander <= v1.6.0, Build 4087

2024-07-2611:26:31

CWE-863

Pentraze

github.com

cve-2024-7062

privilege escalation

nimble commander

validation

authorization

root user

system-level commands

permissions

ownership

file descriptor

termination

CVSS3

8.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

7.8

Confidence

High

SSVC

Exploitation

poc

Automatable

Technical Impact

total

JSON

Nimble Commander suffers from a privilege escalation vulnerability due to the server (info.filesmanager.Files.PrivilegedIOHelperV2) performing improper/insufficient validation of a client’s authorization before executing an operation. Consequently, it is possible to execute system-level commands as the root user, such as changing permissions and ownership, obtaining a handle (file descriptor) of an arbitrary file, and terminating processes, among other operations.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:michaelkazakov:nimble_commander:*:*:*:*:*:*:*:*"
    ],
    "vendor": "michaelkazakov",
    "product": "nimble_commander",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "1.6.0"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

pentraze.com/vulnerability-reports/CVE-2024-7062/

CVSS3

8.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

7.8

Confidence

High

SSVC

Exploitation

poc

Automatable

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2024-7062