{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-37907", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-07-10T17:51:29.611Z", "datePublished": "2023-07-25T20:11:50.843Z", "dateUpdated": "2024-10-03T18:51:28.195Z"}, "containers": {"cna": {"title": "Cryptomator's MSI installer allows local privilege escalation", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-9c9p-c3mg-hpjq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-9c9p-c3mg-hpjq"}, {"name": "https://github.com/cryptomator/cryptomator/commit/b48ebd524b1626bf12ac98e35a7670b868fa208c", "tags": ["x_refsource_MISC"], "url": "https://github.com/cryptomator/cryptomator/commit/b48ebd524b1626bf12ac98e35a7670b868fa208c"}, {"name": "https://github.com/cryptomator/cryptomator/releases/tag/1.9.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/cryptomator/cryptomator/releases/tag/1.9.2"}], "affected": [{"vendor": "cryptomator", "product": "cryptomator", "versions": [{"version": "1.9.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-07-25T20:11:50.843Z"}, "descriptions": [{"lang": "en", "value": "Cryptomator is data encryption software for users who store their files in the cloud. Prior to version 1.9.2, the MSI installer provided on the homepage allows local privilege escalation (LPE) for low privileged users, if already installed. The problem occurs as the repair function of the MSI spawns two administrative CMDs. A simple LPE is possible via a breakout. Version 1.9.2 fixes this issue."}], "source": {"advisory": "GHSA-9c9p-c3mg-hpjq", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:23:27.669Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-9c9p-c3mg-hpjq", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-9c9p-c3mg-hpjq"}, {"name": "https://github.com/cryptomator/cryptomator/commit/b48ebd524b1626bf12ac98e35a7670b868fa208c", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cryptomator/cryptomator/commit/b48ebd524b1626bf12ac98e35a7670b868fa208c"}, {"name": "https://github.com/cryptomator/cryptomator/releases/tag/1.9.2", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cryptomator/cryptomator/releases/tag/1.9.2"}]}, {"affected": [{"vendor": "cryptomator", "product": "cryptomator", "cpes": ["cpe:2.3:a:cryptomator:cryptomator:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.9.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-03T18:49:01.856664Z", "id": "CVE-2023-37907", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-03T18:51:28.195Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-9c9p-c3mg-hpjq", "name": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-9c9p-c3mg-hpjq", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/cryptomator/cryptomator/commit/b48ebd524b1626bf12ac98e35a7670b868fa208c", "name": "https://github.com/cryptomator/cryptomator/commit/b48ebd524b1626bf12ac98e35a7670b868fa208c", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/cryptomator/cryptomator/releases/tag/1.9.2", "name": "https://github.com/cryptomator/cryptomator/releases/tag/1.9.2", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:23:27.669Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-37907", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-03T18:49:01.856664Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:cryptomator:cryptomator:*:*:*:*:*:*:*:*"], "vendor": "cryptomator", "product": "cryptomator", "versions": [{"status": "affected", "version": "0", "lessThan": "1.9.2", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-03T18:51:21.401Z"}}], "cna": {"title": "Cryptomator's MSI installer allows local privilege escalation", "source": {"advisory": "GHSA-9c9p-c3mg-hpjq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "cryptomator", "product": "cryptomator", "versions": [{"status": "affected", "version": "1.9.2"}]}], "references": [{"url": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-9c9p-c3mg-hpjq", "name": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-9c9p-c3mg-hpjq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/cryptomator/cryptomator/commit/b48ebd524b1626bf12ac98e35a7670b868fa208c", "name": "https://github.com/cryptomator/cryptomator/commit/b48ebd524b1626bf12ac98e35a7670b868fa208c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/cryptomator/cryptomator/releases/tag/1.9.2", "name": "https://github.com/cryptomator/cryptomator/releases/tag/1.9.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Cryptomator is data encryption software for users who store their files in the cloud. Prior to version 1.9.2, the MSI installer provided on the homepage allows local privilege escalation (LPE) for low privileged users, if already installed. The problem occurs as the repair function of the MSI spawns two administrative CMDs. A simple LPE is possible via a breakout. Version 1.9.2 fixes this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-07-25T20:11:50.843Z"}}}, "cveMetadata": {"cveId": "CVE-2023-37907", "state": "PUBLISHED", "dateUpdated": "2024-10-03T18:51:28.195Z", "dateReserved": "2023-07-10T17:51:29.611Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-07-25T20:11:50.843Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cryptomator:cryptomator:*:*:*:*:*:*:*:*", "matchCriteriaId": "A6EF2069-0E55-490C-B06D-DB5B9BC584D2", "versionEndExcluding": "1.9.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Cryptomator is data encryption software for users who store their files in the cloud. Prior to version 1.9.2, the MSI installer provided on the homepage allows local privilege escalation (LPE) for low privileged users, if already installed. The problem occurs as the repair function of the MSI spawns two administrative CMDs. A simple LPE is possible via a breakout. Version 1.9.2 fixes this issue."}], "id": "CVE-2023-37907", "lastModified": "2024-11-21T08:12:26.597", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-07-25T21:15:10.647", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/cryptomator/cryptomator/commit/b48ebd524b1626bf12ac98e35a7670b868fa208c"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/cryptomator/cryptomator/releases/tag/1.9.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-9c9p-c3mg-hpjq"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/cryptomator/cryptomator/commit/b48ebd524b1626bf12ac98e35a7670b868fa208c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/cryptomator/cryptomator/releases/tag/1.9.2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/cryptomator/cryptomator/security/advisories/GHSA-9c9p-c3mg-hpjq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}