CVE-2023-39520 — MEDIUM (5.5)

Q: How severe is CVE-2023-39520?

CVE-2023-39520 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-39520?

Check the references section above for vendor advisories and patch information. Affected products include: Cryptomator Cryptomator.

Vulnerability Description

Cryptomator encrypts data being stored on cloud infrastructure. The MSI installer provided on the homepage for Cryptomator version 1.9.2 allows local privilege escalation for low privileged users, via the `repair` function. The problem occurs as the repair function of the MSI is spawning an SYSTEM Powershell without the `-NoProfile` parameter. Therefore the profile of the user starting the repair will be loaded. Version 1.9.3 contains a fix for this issue. Adding a `-NoProfile` to the powershell is a possible workaround.

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Cryptomator	Cryptomator	< 1.9.3

Related Weaknesses (CWE)

CWE-269

References

https://github.com/cryptomator/cryptomator/commit/727c32ad50c3901a6144a11cf984a3Patch
https://github.com/cryptomator/cryptomator/releases/download/1.9.2/Cryptomator-1Product
https://github.com/cryptomator/cryptomator/releases/tag/1.9.3Release Notes
https://github.com/cryptomator/cryptomator/security/advisories/GHSA-62gx-54j7-mjExploitMitigationVendor Advisory
https://github.com/cryptomator/cryptomator/commit/727c32ad50c3901a6144a11cf984a3Patch
https://github.com/cryptomator/cryptomator/releases/download/1.9.2/Cryptomator-1Product
https://github.com/cryptomator/cryptomator/releases/tag/1.9.3Release Notes
https://github.com/cryptomator/cryptomator/security/advisories/GHSA-62gx-54j7-mjExploitMitigationVendor Advisory

FAQ

What is CVE-2023-39520?

CVE-2023-39520 is a vulnerability with a CVSS score of 5.5 (MEDIUM). Cryptomator encrypts data being stored on cloud infrastructure. The MSI installer provided on the homepage for Cryptomator version 1.9.2 allows local privilege escalation for low privileged users, via...

How severe is CVE-2023-39520?

CVE-2023-39520 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-39520?

Check the references section above for vendor advisories and patch information. Affected products include: Cryptomator Cryptomator.