7.8

CVE-2023-39520

Exploit

EPSS 0.03%
Veröffentlicht 07.08.2023 20:15:09
Zuletzt bearbeitet 10.04.2025 20:53:51
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Cryptomator encrypts data being stored on cloud infrastructure. The MSI installer provided on the homepage for Cryptomator version 1.9.2 allows local privilege escalation for low privileged users, via the `repair` function. The problem occurs as the repair function of the MSI is spawning an SYSTEM Powershell without the `-NoProfile` parameter. Therefore the profile of the user starting the repair will be loaded. Version 1.9.3 contains a fix for this issue. Adding a `-NoProfile` to the powershell is a possible workaround.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cryptomator ≫ Cryptomator Version < 1.9.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.08

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

https://github.com/cryptomator/cryptomator/commit/727c32ad50c3901a6144a11cf984a3b7ebcf8b2b

Patch

https://github.com/cryptomator/cryptomator/releases/download/1.9.2/Cryptomator-1.9.2-x64.msi

Product

https://github.com/cryptomator/cryptomator/releases/tag/1.9.3

Release Notes

https://github.com/cryptomator/cryptomator/security/advisories/GHSA-62gx-54j7-mjh3

Vendor Advisory

Exploit

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2023-39520

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-39520

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-39520

EUVD