Local Privilege Escalation in Erlang/OTP Prior to Version 23.2.3
CVE-2021-29221

7HIGH

Key Information:

Vendor: Erlang Project
Status: Erlang/otp
Vendor: CVE Published:; 9 April 2021

What is CVE-2021-29221?

A local privilege escalation issue has been identified in Erlang/OTP, which affects versions prior to 23.2.3. This vulnerability can be exploited by a local attacker through the manipulation of file permissions within an existing installation's directory. Under certain conditions on the Windows operating system, an attacker may hijack the accounts of other users running Erlang applications or compel a service operating under 'erlsrv.exe' to execute arbitrary code with Local System privileges. The exploitation of this vulnerability necessitates unsafe filesystem permissions.

Affected Version(s)

Erlang/OTP < 23.2.3

References

https://github.com/erlang/otp/releases/tag/OTP-23.2.3

x_refsource_MISC

https://deepsurface.com/deepsurface-security-advisory-loc...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 9, 2021
Vulnerability Reserved
Mar 25, 2021

Erlang Project

What is CVE-2021-29221?

Affected Version(s)

References

CVSS V3.1

Timeline