CVE-2019-9486

Опубликовано: 30 апр. 2019

Источник: nvd

CVSS3: 8.8

CVSS2: 9

EPSS Низкий

Описание

STRATO HiDrive Desktop Client 5.0.1.0 for Windows suffers from a SYSTEM privilege escalation vulnerability through the HiDriveMaintenanceService service. This service establishes a NetNamedPipe endpoint that allows applications to connect and call publicly exposed methods. An attacker can inject and execute code by hijacking the insecure communications with the service. This vulnerability also affects Telekom MagentaCLOUD through 5.7.0.0 and 1&1 Online Storage through 6.1.0.0.

Ссылки

https://zer0-day.pw/articles/2019-04/HiDrive-LPE-via-Insecure-WCF-endpoint
Exploit
Third Party Advisory
https://zer0-day.pw/articles/2019-04/HiDrive-LPE-via-Insecure-WCF-endpoint
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:strato:hidrive_desktop_client:*:*:*:*:*:windows:*:*

Версия до 5.0.1.0 (включая)

Конфигурация 2

cpe:2.3:a:telekom:magentacloud:*:*:*:*:*:*:*:*

Версия до 5.7.0.0 (включая)

Конфигурация 3

cpe:2.3:a:ionos:1\&1_online_storage:*:*:*:*:*:*:*:*

Версия до 6.1.0.0 (включая)

EPSS

Процентиль: 72%

0.00723

Низкий

8.8 High

CVSS3

9 Critical

CVSS2

Дефекты

CWE-367

Связанные уязвимости

GHSA-2ghq-8m9c-mqjm

github

больше 3 лет назад