CVE-2019-12571

A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v0.9.8 beta (build 02099) for macOS could allow an authenticated, local attacker to overwrite arbitrary files. When the client initiates a connection, the XML /tmp/pia-watcher.plist file is created. If the file exists, it will be truncated and the contents completely overwritten. This file is removed on disconnect. An unprivileged user can create a hard or soft link to arbitrary files owned by any user on the system, including root. This creates a denial of service condition and possible data loss if leveraged by a malicious local user.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:londontrustmedia:private_internet_access_vpn_client:0.9.8:beta:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

History

21 Nov 2024, 04:23

Type Values Removed Values Added
References () https://github.com/mirchr/security-research/blob/master/vulnerabilities/PIA/CVE-2019-12571.txt - Exploit, Third Party Advisory () https://github.com/mirchr/security-research/blob/master/vulnerabilities/PIA/CVE-2019-12571.txt - Exploit, Third Party Advisory

Information

Published : 2019-07-11 20:15

Updated : 2024-11-21 04:23


NVD link : CVE-2019-12571

Mitre link : CVE-2019-12571

CVE.ORG link : CVE-2019-12571


JSON object : View

Products Affected

londontrustmedia

  • private_internet_access_vpn_client

apple

  • macos
CWE
CWE-59

Improper Link Resolution Before File Access ('Link Following')