7.8
CVE-2023-39520
- EPSS 0.31%
- Veröffentlicht 07.08.2023 20:15:09
- Zuletzt bearbeitet 10.04.2025 20:53:51
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginCryptomator vulnerable to Local Elevation of Privileges
Cryptomator encrypts data being stored on cloud infrastructure. The MSI installer provided on the homepage for Cryptomator version 1.9.2 allows local privilege escalation for low privileged users, via the `repair` function. The problem occurs as the repair function of the MSI is spawning an SYSTEM Powershell without the `-NoProfile` parameter. Therefore the profile of the user starting the repair will be loaded. Version 1.9.3 contains a fix for this issue. Adding a `-NoProfile` to the powershell is a possible workaround.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Cryptomator ≫ Cryptomator Version < 1.9.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.31% | 0.227 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 5.5 | 1.8 | 3.6 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
|
CWE-269 Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
https://github.com/cryptomator/cryptomator/commit/727c32ad50c3901a6144a11cf984a3b7ebcf8b2b
https://github.com/cryptomator/cryptomator/releases/download/1.9.2/Cryptomator-1.9.2-x64.msi
https://github.com/cryptomator/cryptomator/releases/tag/1.9.3
https://github.com/cryptomator/cryptomator/security/advisories/GHSA-62gx-54j7-mjh3