Lucene search

K
cvelistZdiCVELIST:CVE-2023-32176
HistoryMay 03, 2024 - 1:56 a.m.

CVE-2023-32176 VIPRE Antivirus Plus SetPrivateConfig Directory Traversal Local Privilege Escalation Vulnerability

2024-05-0301:56:52
CWE-22
zdi
www.cve.org
vipre antivirus
setprivateconfig
directory traversal
local privilege escalation
vulnerability
user-supplied path
file operations
arbitrary code
zdi-can-19394

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

39.9%

VIPRE Antivirus Plus SetPrivateConfig Directory Traversal Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of VIPRE Antivirus Plus. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the SetPrivateConfig method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-19394.

CNA Affected

[
  {
    "vendor": "VIPRE",
    "product": "Antivirus Plus",
    "versions": [
      {
        "version": "R.47.0.0 AutoCAD 2021 & R.47.0.0 AutoCAD LT 2021",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  }
]

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

39.9%

Related for CVELIST:CVE-2023-32176