CVE-2020-26893

An issue was discovered in ClamXAV 3 before 3.1.1. A malicious actor could use a properly signed copy of ClamXAV 2 (running with an injected malicious dylib) to communicate with ClamXAV 3's helper tool and perform privileged operations. This occurs because of inadequate client verification in the helper tool.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
VendorProductVersion
clamxavclamxav
3.0.0 ≤
𝑥
< 3.1.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://gist.github.com/matt-clamxav/d341bd48f12a14d2147f8ce860bb36d0
https://gist.github.com/matt-clamxav/d341bd48f12a14d2147f8ce860bb36d0