CVE-2019-12571

Exploit

EPSS 0.03%
Veröffentlicht 11.07.2019 20:15:12
Zuletzt bearbeitet 21.11.2024 04:23:06
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v0.9.8 beta (build 02099) for macOS could allow an authenticated, local attacker to overwrite arbitrary files. When the client initiates a connection, the XML /tmp/pia-watcher.plist file is created. If the file exists, it will be truncated and the contents completely overwritten. This file is removed on disconnect. An unprivileged user can create a hard or soft link to arbitrary files owned by any user on the system, including root. This creates a denial of service condition and possible data loss if leveraged by a malicious local user.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Londontrustmedia ≫ Private Internet Access Vpn Client Version0.9.8 Updatebeta

Apple ≫ macOS Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.058

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.1	1.8	5.2	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
nvd@nist.gov	6.6	3.9	9.2	AV:L/AC:L/Au:N/C:N/I:C/A:C

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

https://github.com/mirchr/security-research/blob/master/vulnerabilities/PIA/CVE-2019-12571.txt

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2019-12571

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-12571

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-12571

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2019-12571