Potential File Corruption Vulnerability in GOG Galaxy Client
CVE-2023-50915

6.5MEDIUM

Key Information:

Vendor: GOG Galaxy
Vendor: CVE Published:; 30 April 2024

What is CVE-2023-50915?

A significant vulnerability has been identified in the GOG Galaxy client, specifically within the GalaxyClientService.exe process. This vulnerability allows authenticated users using versions 2.0.67.2 to 2.0.71.2 of GOG Galaxy (Beta) to exploit a combination of NTFS Junctions and RPC Object Manager symbolic links. This exploitation can lead to an overwrite of critical system files, potentially resulting in service disruption and downtime. Users are encouraged to review their security measures and apply necessary updates to mitigate this risk.

References

https://support.gog.com/hc/en-us/categories/201553005-Dow...

https://github.com/anvilsecure/gog-galaxy-app-research

https://github.com/anvilsecure/gog-galaxy-app-research/bl...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 30, 2024
Vulnerability Reserved
Dec 15, 2023