CVE-2024-7062

Nimble Commander suffers from a privilege escalation vulnerability due to the server (info.filesmanager.Files.PrivilegedIOHelperV2) performing improper/insufficient validation of a client’s authorization before executing an operation. Consequently, it is possible to execute system-level commands as the root user, such as changing permissions and ownership, obtaining a handle (file descriptor) of an arbitrary file, and terminating processes, among other operations.
References
Link Resource
https://pentraze.com/vulnerability-reports/CVE-2024-7062/ Exploit Mitigation Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:mikekazakov:nimble_commander:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

History

27 Aug 2024, 14:00

Type Values Removed Values Added
Summary
  • (es) Nimble Commander sufre una vulnerabilidad de escalada de privilegios debido a que el servidor (info.filesmanager.Files.PrivilegedIOHelperV2) realiza una validación incorrecta o insuficiente de la autorización de un cliente antes de ejecutar una operación. En consecuencia, es posible ejecutar comandos a nivel de sistema como usuario root, como cambiar permisos y propiedad, obtener un identificador (descriptor de archivo) de un archivo arbitrario y finalizar procesos, entre otras operaciones.
First Time Mikekazakov
Apple
Apple macos
Mikekazakov nimble Commander
CVSS v2 : unknown
v3 : 8.8
v2 : unknown
v3 : 7.8
CPE cpe:2.3:a:mikekazakov:nimble_commander:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
References () https://pentraze.com/vulnerability-reports/CVE-2024-7062/ - () https://pentraze.com/vulnerability-reports/CVE-2024-7062/ - Exploit, Mitigation, Third Party Advisory

26 Jul 2024, 12:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-26 12:15

Updated : 2024-08-27 14:00


NVD link : CVE-2024-7062

Mitre link : CVE-2024-7062

CVE.ORG link : CVE-2024-7062


JSON object : View

Products Affected

apple

  • macos

mikekazakov

  • nimble_commander
CWE
CWE-863

Incorrect Authorization