Arbitrary command execution in Keybase Client for Windows
CVE-2021-34426

5.3MEDIUM

Key Information:

Vendor: Zoom
Status: Keybase Client For Windows
Vendor: CVE Published:; 14 December 2021

Summary

A vulnerability was discovered in the Keybase Client for Windows before version 5.6.0 when a user executed the "keybase git lfs-config" command on the command-line. In versions prior to 5.6.0, a malicious actor with write access to a user's Git repository could leverage this vulnerability to potentially execute arbitrary Windows commands on a user's local system.

Affected Version(s)

Keybase Client for Windows < 5.6.0

References

https://explore.zoom.us/en/trust/security/security-bulletin

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Dec 14, 2021
Vulnerability Reserved
Jun 9, 2021

Credit

RyotaK (https://blog.ryotak.me/)