Unrated severityNVD Advisory· Published Aug 7, 2023· Updated Oct 3, 2024

Cryptomator vulnerable to Local Elevation of Privileges

CVE-2023-39520

Description

Cryptomator encrypts data being stored on cloud infrastructure. The MSI installer provided on the homepage for Cryptomator version 1.9.2 allows local privilege escalation for low privileged users, via the repair function. The problem occurs as the repair function of the MSI is spawning an SYSTEM Powershell without the -NoProfile parameter. Therefore the profile of the user starting the repair will be loaded. Version 1.9.3 contains a fix for this issue. Adding a -NoProfile to the powershell is a possible workaround.

Affected products

Cryptomator/Cryptomatorv5
Range: <= 1.9.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/cryptomator/cryptomator/commit/727c32ad50c3901a6144a11cf984a3b7ebcf8b2bmitrex_refsource_MISC
github.com/cryptomator/cryptomator/releases/download/1.9.2/Cryptomator-1.9.2-x64.msimitrex_refsource_MISC
github.com/cryptomator/cryptomator/releases/tag/1.9.3mitrex_refsource_MISC
github.com/cryptomator/cryptomator/security/advisories/GHSA-62gx-54j7-mjh3mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000