Vulnerability in Sandboxie Allows User to Access Other Users' Files
CVE-2024-49360

9.2CRITICAL

Key Information:

Vendor: Sandboxie-plus
Status: Sandboxie
Vendor: CVE Published:; 29 November 2024

🔔 Create Sandboxie-plus Vulnerability Alert

What is CVE-2024-49360?

The Sandboxie isolation software, designed to create a secure environment for running applications, is susceptible to an issue where an authenticated user can access files belonging to other users within the sandbox folders. Specifically, user-controlled access allows certain files in directories such as C:\Sandbox\UserB\xxx to be read by an attacker with minimal privileges. This vulnerability stems from inadequate access controls related to the management of sandbox ACLs, which do not reset appropriately during sandbox operations. While files in user folders outside of the sandbox remain secure, any files created or modified within the sandbox environment may be compromised. As this vulnerability has yet to be patched, users are strongly advised to restrict access to their systems using Sandboxie until a resolution is available.

Affected Version(s)

Sandboxie < v1.14.6 / 5.69.6

References

https://github.com/sandboxie-plus/Sandboxie/security/advi...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 29, 2024
Vulnerability Reserved
Oct 14, 2024