Local Privilege Escalation Vulnerability in Parallels Access by Parallels
CVE-2022-34901

7.8HIGH

Key Information:

Vendor: Parallels
Status: Access
Vendor: CVE Published:; 18 July 2022

What is CVE-2022-34901?

This vulnerability in Parallels Access 6.5.4 allows local attackers to escalate their privileges by exploiting a flaw within the Parallels Service. The service's execution of files from an unsecured location poses a risk, enabling an attacker who already possesses low-privileged access to run arbitrary code as the root user. This security issue underscores the importance of proper file handling practices and ensuring that services operate within secure boundaries.

Affected Version(s)

Access 6.5.4 (39316)

References

https://kb.parallels.com/en/129010

x_refsource_MISC

https://www.zerodayinitiative.com/advisories/ZDI-22-948/

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 18, 2022
Vulnerability Reserved
Jul 1, 2022

Credit

Reno Robert of Trend Micro Zero Day Initiative