Lucene search

ZscalerVULNRICHMENT:CVE-2024-23457

HistoryMay 01, 2024 - 4:26 p.m.

CVE-2024-23457 Anti-tampering can be disabled with uninstall password enforced

2024-05-0116:26:11

CWE-269

Zscaler

github.com

zscaler

client connector

windows

vulnerability

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

Low

EPSS

Percentile

9.0%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

The anti-tampering functionality of the Zscaler Client Connector can be disabled under certain conditions when an uninstall password is enforced. This affects Zscaler Client Connector on Windows prior to 4.2.0.209

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:zscaler:client_connector:-:*:*:*:*:windows:*:*"
    ],
    "vendor": "zscaler",
    "product": "client_connector",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "4.2.0.209",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

help.zscaler.com/client-connector/client-connector-app-release-summary-2023

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

Low

EPSS

Percentile

9.0%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2024-23457