Vulnerability Description
Cryptomator is data encryption software for users who store their files in the cloud. Prior to version 1.9.2, the MSI installer provided on the homepage allows local privilege escalation (LPE) for low privileged users, if already installed. The problem occurs as the repair function of the MSI spawns two administrative CMDs. A simple LPE is possible via a breakout. Version 1.9.2 fixes this issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cryptomator | Cryptomator | < 1.9.2 |
Related Weaknesses (CWE)
References
- https://github.com/cryptomator/cryptomator/commit/b48ebd524b1626bf12ac98e35a7670Patch
- https://github.com/cryptomator/cryptomator/releases/tag/1.9.2Release Notes
- https://github.com/cryptomator/cryptomator/security/advisories/GHSA-9c9p-c3mg-hpExploitIssue TrackingVendor Advisory
- https://github.com/cryptomator/cryptomator/commit/b48ebd524b1626bf12ac98e35a7670Patch
- https://github.com/cryptomator/cryptomator/releases/tag/1.9.2Release Notes
- https://github.com/cryptomator/cryptomator/security/advisories/GHSA-9c9p-c3mg-hpExploitIssue TrackingVendor Advisory
FAQ
What is CVE-2023-37907?
CVE-2023-37907 is a vulnerability with a CVSS score of 7.0 (HIGH). Cryptomator is data encryption software for users who store their files in the cloud. Prior to version 1.9.2, the MSI installer provided on the homepage allows local privilege escalation (LPE) for low...
How severe is CVE-2023-37907?
CVE-2023-37907 has been rated HIGH with a CVSS base score of 7.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-37907?
Check the references section above for vendor advisories and patch information. Affected products include: Cryptomator Cryptomator.