Cryptomator encrypts data being stored on cloud infrastructure. The MSI installer provided on the homepage for Cryptomator version 1.9.2 allows local privilege escalation for low privileged users, via the `repair` function. The problem occurs as the repair function of the MSI is spawning an SYSTEM Powershell without the `-NoProfile` parameter. Therefore the profile of the user starting the repair will be loaded. Version 1.9.3 contains a fix for this issue. Adding a `-NoProfile` to the powershell is a possible workaround.
References
Configurations
History
11 Aug 2023, 18:10
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/cryptomator/cryptomator/releases/download/1.9.2/Cryptomator-1.9.2-x64.msi - Product | |
References | (MISC) https://github.com/cryptomator/cryptomator/releases/tag/1.9.3 - Release Notes | |
References | (MISC) https://github.com/cryptomator/cryptomator/commit/727c32ad50c3901a6144a11cf984a3b7ebcf8b2b - Patch | |
References | (MISC) https://github.com/cryptomator/cryptomator/security/advisories/GHSA-62gx-54j7-mjh3 - Exploit, Mitigation, Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.8 |
First Time |
Cryptomator cryptomator
Cryptomator |
|
CPE | cpe:2.3:a:cryptomator:cryptomator:*:*:*:*:*:*:*:* |
07 Aug 2023, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-08-07 20:15
Updated : 2024-02-28 20:33
NVD link : CVE-2023-39520
Mitre link : CVE-2023-39520
CVE.ORG link : CVE-2023-39520
JSON object : View
Products Affected
cryptomator
- cryptomator
CWE
CWE-269
Improper Privilege Management