Vulnerability Description
Backblaze for Windows and Backblaze for macOS before 7.0.0.439 suffer from improper privilege management in `bztransmit` helper due to lack of permission handling and validation before creation of client update directories allowing for local escalation of privilege via rogue client update binary.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Backblaze | Backblaze | < 7.0.0.439 |
Related Weaknesses (CWE)
References
- https://github.com/geffner/CVE-2020-8290/blob/master/README.mdExploitThird Party Advisory
- https://hackerone.com/reports/818857Permissions Required
- https://youtu.be/OpC6neWd2aMExploitThird Party Advisory
- https://github.com/geffner/CVE-2020-8290/blob/master/README.mdExploitThird Party Advisory
- https://hackerone.com/reports/818857Permissions Required
- https://youtu.be/OpC6neWd2aMExploitThird Party Advisory
FAQ
What is CVE-2020-8290?
CVE-2020-8290 is a vulnerability with a CVSS score of 7.8 (HIGH). Backblaze for Windows and Backblaze for macOS before 7.0.0.439 suffer from improper privilege management in `bztransmit` helper due to lack of permission handling and validation before creation of cli...
How severe is CVE-2020-8290?
CVE-2020-8290 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-8290?
Check the references section above for vendor advisories and patch information. Affected products include: Backblaze Backblaze.