1. Home
  2. CVE Database
  3. CVE-2019-11396
HIGH · 7.8

CVE-2019-11396

An issue was discovered in Avira Free Security Suite 10. The permissive access rights on the SoftwareUpdater folder (files / folders and configuration) are incompatible with the privileged file manipu...

Vulnerability Description

An issue was discovered in Avira Free Security Suite 10. The permissive access rights on the SoftwareUpdater folder (files / folders and configuration) are incompatible with the privileged file manipulation performed by the product. Files can be created that can be used by an unprivileged user to obtain SYSTEM privileges. Arbitrary file creation can be achieved by abusing the SwuConfig.json file creation: an unprivileged user can replace these files by pseudo-symbolic links to arbitrary files. When an update occurs, a privileged service creates a file and sets its access rights, offering write access to the Everyone group in any directory.

CVSS Score

7.8

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
AviraFree Security Suite2019
AviraSoftware Updater<= 2.0.6.13175
MicrosoftWindows-

Related Weaknesses (CWE)

CWE-59

References

FAQ

What is CVE-2019-11396?

CVE-2019-11396 is a vulnerability with a CVSS score of 7.8 (HIGH). An issue was discovered in Avira Free Security Suite 10. The permissive access rights on the SoftwareUpdater folder (files / folders and configuration) are incompatible with the privileged file manipu...

How severe is CVE-2019-11396?

CVE-2019-11396 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-11396?

Check the references section above for vendor advisories and patch information. Affected products include: Avira Free Security Suite, Avira Software Updater, Microsoft Windows.