CVE-2020-15261

Exploit

EPSS 8.06%
Veröffentlicht 19.10.2020 22:15:13
Zuletzt bearbeitet 21.11.2024 05:05:13
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. Since Veyon users (both students and teachers) usually don't have administrative privileges, this vulnerability is only dangerous in anyway unsafe setups. The problem has been fixed in version 4.4.2. As a workaround, the exploitation of the vulnerability can be prevented by revoking administrative privileges from all potentially untrustworthy users.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 9

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Veyon ≫ Veyon Version < 4.4.2

Microsoft ≫ Windows Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	8.06%	0.918

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.7	0.8	5.9	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.2	3.9	10	AV:L/AC:L/Au:N/C:C/I:C/A:C
security-advisories@github.com	8	1.3	6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE-428 Unquoted Search Path or Element

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.

http://packetstormsecurity.com/files/162873/Veyon-4.4.1-Unquoted-Service-Path.html

Third Party Advisory

Exploit

VDB Entry

https://github.com/veyon/veyon/commit/f231ec511b9a09f43f49b2c7bb7c60b8046276b1

Patch

Third Party Advisory

https://github.com/veyon/veyon/issues/657

Third Party Advisory

Issue Tracking

https://github.com/veyon/veyon/security/advisories/GHSA-c8cc-x786-hqqp

Third Party Advisory