cnvd - cnvd-2019-29220

CNVD-2019-29220

Vulnerability from cnvd - Published: 2019-08-29

Title

Objective Development Software Little Snitch privileged helper tool提权漏洞

Description

Objective Development Software Little Snitch是奥地利Objective Development Software公司的一款基于主机的macOS应用防火墙。privileged helper tool是其中的一个帮助工具。 Objective Development Software Little Snitch 4.3.0版本至4.3.2版本中的privileged helper tool存在提权漏洞，攻击者可利用该漏洞以root权限列出目录并复制文件。

Severity

中

Patch Name

Objective Development Software Little Snitch privileged helper tool提权漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://obdev.at/cve/2019-13013-OSv2mEFD3z.html

Reference

https://obdev.at/cve/2019-13013-OSv2mEFD3z.html https://nvd.nist.gov/vuln/detail/CVE-2019-13013

Impacted products

Name
Objective Development Software Objective Development Software Little Snitch >=4.3.0，<=4.3.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-13013"
    }
  },
  "description": "Objective Development Software Little Snitch\u662f\u5965\u5730\u5229Objective Development Software\u516c\u53f8\u7684\u4e00\u6b3e\u57fa\u4e8e\u4e3b\u673a\u7684macOS\u5e94\u7528\u9632\u706b\u5899\u3002privileged helper tool\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u5e2e\u52a9\u5de5\u5177\u3002\n\nObjective Development Software Little Snitch 4.3.0\u7248\u672c\u81f34.3.2\u7248\u672c\u4e2d\u7684privileged helper tool\u5b58\u5728\u63d0\u6743\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ee5root\u6743\u9650\u5217\u51fa\u76ee\u5f55\u5e76\u590d\u5236\u6587\u4ef6\u3002",
  "discovererName": "unknown",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://obdev.at/cve/2019-13013-OSv2mEFD3z.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-29220",
  "openTime": "2019-08-29",
  "patchDescription": "Objective Development Software Little Snitch\u662f\u5965\u5730\u5229Objective Development Software\u516c\u53f8\u7684\u4e00\u6b3e\u57fa\u4e8e\u4e3b\u673a\u7684macOS\u5e94\u7528\u9632\u706b\u5899\u3002privileged helper tool\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u5e2e\u52a9\u5de5\u5177\u3002\r\n\r\nObjective Development Software Little Snitch 4.3.0\u7248\u672c\u81f34.3.2\u7248\u672c\u4e2d\u7684privileged helper tool\u5b58\u5728\u63d0\u6743\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ee5root\u6743\u9650\u5217\u51fa\u76ee\u5f55\u5e76\u590d\u5236\u6587\u4ef6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Objective Development Software Little Snitch privileged helper tool\u63d0\u6743\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Objective Development Software Objective Development Software Little Snitch \u003e=4.3.0\uff0c\u003c=4.3.2"
  },
  "referenceLink": "https://obdev.at/cve/2019-13013-OSv2mEFD3z.html\r\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-13013",
  "serverity": "\u4e2d",
  "submitTime": "2019-08-27",
  "title": "Objective Development Software Little Snitch privileged helper tool\u63d0\u6743\u6f0f\u6d1e"
}

CVE-2019-13013 (GCVE-0-2019-13013)

Vulnerability from cvelistv5 – Published: 2019-08-23 16:58 – Updated: 2024-08-04 23:41

Summary

Little Snitch versions 4.3.0 to 4.3.2 have a local privilege escalation vulnerability in their privileged helper tool. The privileged helper tool implements an XPC interface which is available to any process and allows directory listings and copying files as root.

Severity ?

No CVSS data available.

CWE

CWE-264 - Permissions, Privileges, and Access Controls

Assigner

obdev

References

URL

Tags

https://obdev.at/cve/2019-13013-OSv2mEFD3z.html

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	Little Snitch	Affected: 4.3 - 4.3.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T23:41:10.198Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://obdev.at/cve/2019-13013-OSv2mEFD3z.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Little Snitch",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "4.3 - 4.3.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Little Snitch versions 4.3.0 to 4.3.2 have a local privilege escalation vulnerability in their privileged helper tool. The privileged helper tool implements an XPC interface which is available to any process and allows directory listings and copying files as root."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-264",
              "description": "CWE-264: Permissions, Privileges, and Access Controls",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-08-23T16:58:49",
        "orgId": "e0cebea7-a708-4bfe-81c1-855d35eb4544",
        "shortName": "obdev"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://obdev.at/cve/2019-13013-OSv2mEFD3z.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-13013",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Little Snitch",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "4.3 - 4.3.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Little Snitch versions 4.3.0 to 4.3.2 have a local privilege escalation vulnerability in their privileged helper tool. The privileged helper tool implements an XPC interface which is available to any process and allows directory listings and copying files as root."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-264: Permissions, Privileges, and Access Controls"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://obdev.at/cve/2019-13013-OSv2mEFD3z.html",
              "refsource": "MISC",
              "url": "https://obdev.at/cve/2019-13013-OSv2mEFD3z.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e0cebea7-a708-4bfe-81c1-855d35eb4544",
    "assignerShortName": "obdev",
    "cveId": "CVE-2019-13013",
    "datePublished": "2019-08-23T16:58:49",
    "dateReserved": "2019-06-28T00:00:00",
    "dateUpdated": "2024-08-04T23:41:10.198Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2019-29220

CVE-2019-13013 (GCVE-0-2019-13013)

Tags

Sightings

Nomenclature