CVE-2023-37907

Cryptomator is data encryption software for users who store their files in the cloud. Prior to version 1.9.2, the MSI installer provided on the homepage allows local privilege escalation (LPE) for low privileged users, if already installed. The problem occurs as the repair function of the MSI spawns two administrative CMDs. A simple LPE is possible via a breakout. Version 1.9.2 fixes this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7 HIGH
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
cryptomatorcryptomator
𝑥
< 1.9.2
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
cryptomatorcryptomator
𝑥
< 1.9.2
ADP
Common Weakness Enumeration
References
https://github.com/cryptomator/cryptomator/commit/b48ebd524b1626bf12ac98e35a7670b868fa208c
https://github.com/cryptomator/cryptomator/releases/tag/1.9.2
https://github.com/cryptomator/cryptomator/security/advisories/GHSA-9c9p-c3mg-hpjq
https://github.com/cryptomator/cryptomator/commit/b48ebd524b1626bf12ac98e35a7670b868fa208c
https://github.com/cryptomator/cryptomator/releases/tag/1.9.2
https://github.com/cryptomator/cryptomator/security/advisories/GHSA-9c9p-c3mg-hpjq