Privilege Escalation Vulnerability in 7-Zip on Windows
CVE-2018-10172

8.8HIGH

Key Information:

Vendor
7-zip
Status
Vendor
CVE Published:
16 April 2018

Summary

7-Zip versions through 18.01 on Windows implement the 'Large memory pages' option by calling the LsaAddAccountRights function. This implementation adds the SeLockMemoryPrivilege privilege to user accounts, potentially enabling attackers to circumvent established access controls. While this feature has been a topic of debate among security experts regarding its validity within Windows, the implications for system security cannot be overlooked, especially in a sandboxed environment.

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.