Vulnerability in Sandboxie Allows User to Access Other Users' Files
CVE-2024-49360

9.2CRITICAL

Key Information:

Status
Vendor
CVE Published:
29 November 2024

What is CVE-2024-49360?

The Sandboxie isolation software, designed to create a secure environment for running applications, is susceptible to an issue where an authenticated user can access files belonging to other users within the sandbox folders. Specifically, user-controlled access allows certain files in directories such as C:\Sandbox\UserB\xxx to be read by an attacker with minimal privileges. This vulnerability stems from inadequate access controls related to the management of sandbox ACLs, which do not reset appropriately during sandbox operations. While files in user folders outside of the sandbox remain secure, any files created or modified within the sandbox environment may be compromised. As this vulnerability has yet to be patched, users are strongly advised to restrict access to their systems using Sandboxie until a resolution is available.

Affected Version(s)

Sandboxie < v1.14.6 / 5.69.6

References

CVSS V3.1

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.