The Windows component of Centrify Authentication and Privilege Elevation Services 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1 (18.8), 3.5.2 (18.11), and 3.6.0 (19.6) does not properly handle an unspecified exception during use of partially trusted assemblies to serialize input data, which allows attackers to execute arbitrary code inside the Centrify process via (1) a crafted application that makes a pipe connection to the process and sends malicious serialized data or (2) a crafted Microsoft Management Console snap-in control file.
References
Link | Resource |
---|---|
https://centrify.force.com/support/Article/KB-22420-Centrify-Agent-for-Windows-Remote-Code-Execution-Vulnerability | Patch Vendor Advisory |
https://centrify.force.com/support/Article/KB-22420-Centrify-Agent-for-Windows-Remote-Code-Execution-Vulnerability | Patch Vendor Advisory |
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
AND |
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
AND |
|
History
21 Nov 2024, 04:33
Type | Values Removed | Values Added |
---|---|---|
References | () https://centrify.force.com/support/Article/KB-22420-Centrify-Agent-for-Windows-Remote-Code-Execution-Vulnerability - Patch, Vendor Advisory |
Information
Published : 2019-11-05 16:15
Updated : 2024-11-21 04:33
NVD link : CVE-2019-18631
Mitre link : CVE-2019-18631
CVE.ORG link : CVE-2019-18631
JSON object : View
Products Affected
centrify
- infrastructure_services
- privilege_elevation_service
- authentication_service
CWE
CWE-502
Deserialization of Untrusted Data