Описание
A flaw was found in the Lightspeed history service. Insufficient access controls allow a local, unprivileged user to access and manipulate the chat history of another user on the same system. By abusing inter-process communication calls to the history service, an attacker can view, delete, or inject arbitrary history entries, including misleading or malicious commands. This can be used to deceive another user into executing harmful actions, posing a risk of privilege misuse or unauthorized command execution through social engineering.
Отчет
The Red Hat Product Security team assesses the severity of this vulnerability as Moderate, despite a CVSS v3.1 base score of 7.7. The issue is limited to local exploitation and does not require elevated privileges, making it accessible to any standard user on the system. Successful exploitation allows unauthorized access and manipulation of another user's chat history, potentially leading to exposure of sensitive data or injection of misleading commands. However, the impact is constrained to multi-user environments and does not affect remote systems or cause service disruption.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria, which include ease of use and deployment, applicability to a widespread installation base, and system stability.
Дополнительная информация
Статус:
7.7 High
CVSS3
Связанные уязвимости
A flaw was found in the Lightspeed history service. Insufficient access controls allow a local, unprivileged user to access and manipulate the chat history of another user on the same system. By abusing inter-process communication calls to the history service, an attacker can view, delete, or inject arbitrary history entries, including misleading or malicious commands. This can be used to deceive another user into executing harmful actions, posing a risk of privilege misuse or unauthorized command execution through social engineering.
A flaw was found in the Lightspeed history service. Insufficient access controls allow a local, unprivileged user to access and manipulate the chat history of another user on the same system. By abusing inter-process communication calls to the history service, an attacker can view, delete, or inject arbitrary history entries, including misleading or malicious commands. This can be used to deceive another user into executing harmful actions, posing a risk of privilege misuse or unauthorized command execution through social engineering.
7.7 High
CVSS3