CVE-2018-10172 — HIGH (8.8)

Q: How severe is CVE-2018-10172?

CVE-2018-10172 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-10172?

Check the references section above for vendor advisories and patch information. Affected products include: 7-Zip 7-Zip.

Vulnerability Description

7-Zip through 18.01 on Windows implements the "Large memory pages" option by calling the LsaAddAccountRights function to add the SeLockMemoryPrivilege privilege to the user's account, which makes it easier for attackers to bypass intended access restrictions by using this privilege in the context of a sandboxed process. Note: This has been disputed by 3rd parties who argue this is a valid feature of Windows.

CVSS Score

8.8

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
7-Zip	7-Zip	<= 18.01

Related Weaknesses (CWE)

CWE-269

References

https://sourceforge.net/p/sevenzip/discussion/45797/thread/e730c709/?limit=25&paThird Party Advisory
https://sourceforge.net/p/sevenzip/discussion/45797/thread/e730c709/?limit=25&paThird Party Advisory

FAQ

What is CVE-2018-10172?

CVE-2018-10172 is a vulnerability with a CVSS score of 8.8 (HIGH). 7-Zip through 18.01 on Windows implements the "Large memory pages" option by calling the LsaAddAccountRights function to add the SeLockMemoryPrivilege privilege to the user's account, which makes it e...

How severe is CVE-2018-10172?

CVE-2018-10172 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-10172?

Check the references section above for vendor advisories and patch information. Affected products include: 7-Zip 7-Zip.