Vulnerability Description
Signal Desktop before 1.29.1 on Windows allows local users to gain privileges by creating a Trojan horse %SYSTEMDRIVE%\node_modules\.bin\wmic.exe file.
CVSS Score
7.3
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Signal | Signal-Desktop | < 1.29.1 |
| Microsoft | Windows | - |
Related Weaknesses (CWE)
References
- https://blog.mirch.io/2019/12/18/signal-desktop-windows-lpe/ExploitPatchThird Party Advisory
- https://github.com/signalapp/Signal-Desktop/commit/2da39cca673cc11be3c6d70d4fb95Patch
- https://blog.mirch.io/2019/12/18/signal-desktop-windows-lpe/ExploitPatchThird Party Advisory
- https://github.com/signalapp/Signal-Desktop/commit/2da39cca673cc11be3c6d70d4fb95Patch
FAQ
What is CVE-2019-19954?
CVE-2019-19954 is a vulnerability with a CVSS score of 7.3 (HIGH). Signal Desktop before 1.29.1 on Windows allows local users to gain privileges by creating a Trojan horse %SYSTEMDRIVE%\node_modules\.bin\wmic.exe file.
How severe is CVE-2019-19954?
CVE-2019-19954 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-19954?
Check the references section above for vendor advisories and patch information. Affected products include: Signal Signal-Desktop, Microsoft Windows.