CVE-2023-33865 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA-ADP	ADP	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 8%

Affected Products (NVD)

Vendor	Product	Version
renderdoc	renderdoc	𝑥 < 1.27

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

renderdoc

bookworm	no-dsa
bullseye	vulnerable
bullseye (security)	1.11+dfsg-5+deb11u1 fixed
sid/non-free	1.27+dfsg-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

renderdoc

bionic	ignored
focal	needs-triage
jammy	needs-triage
kinetic	ignored
lunar	ignored
mantic	ignored
noble	dne
oracular	dne
trusty	ignored
xenial	ignored

Known Exploits!

Common Weakness Enumeration

CWE-59 - Improper Link Resolution Before File Access ('Link Following')
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References

http://packetstormsecurity.com/files/172804/RenderDoc-1.26-Local-Privilege-Escalation-Remote-Code-Execution.html

http://seclists.org/fulldisclosure/2023/Jun/2

https://lists.debian.org/debian-lts-announce/2023/07/msg00023.html

https://renderdoc.org/

https://security.gentoo.org/glsa/202311-10

https://www.qualys.com/2023/06/06/renderdoc/renderdoc.txt

http://packetstormsecurity.com/files/172804/RenderDoc-1.26-Local-Privilege-Escalation-Remote-Code-Execution.html

http://seclists.org/fulldisclosure/2023/Jun/2

https://lists.debian.org/debian-lts-announce/2023/07/msg00023.html

https://lists.debian.org/debian-lts-announce/2024/12/msg00008.html

https://renderdoc.org/

https://security.gentoo.org/glsa/202311-10

https://www.qualys.com/2023/06/06/renderdoc/renderdoc.txt