Cryptomator's MSI installer allows local privilege escalation
CVE-2023-37907

7HIGH

Key Information:

Vendor

Cryptomator

Status
Cryptomator
Vendor
CVE Published:
25 July 2023

What is CVE-2023-37907?

Cryptomator, a widely used data encryption tool for cloud storage, is susceptible to a local privilege escalation issue. This vulnerability exists in the MSI installer before version 1.9.2, where a flaw in the repair function can lead to the execution of two administrative command prompts. Low-privileged users can exploit this vulnerability if the software is installed, potentially allowing unauthorized access to system privileges. Users are urged to update to version 1.9.2 to mitigate this risk.

Affected Version(s)

cryptomator 1.9.2

References

https://github.com/cryptomator/cryptomator/security/advis...
x_refsource_CONFIRM
https://github.com/cryptomator/cryptomator/commit/b48ebd5...
x_refsource_MISC
https://github.com/cryptomator/cryptomator/releases/tag/1...
x_refsource_MISC

CVSS V3.1

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.