CVE-2024-23483 (GCVE-0-2024-23483)
Vulnerability from cvelistv5 – Published: 2024-08-06 15:30 – Updated: 2024-08-06 18:08
VLAI?
Title
Local Privilege Escalation via lack of input validation
Summary
An Improper Input Validation vulnerability in Zscaler Client Connector on MacOS allows OS Command Injection. This issue affects Zscaler Client Connector on MacOS <4.2.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Zscaler | Client Connector |
Affected:
0 , < 4.2
(custom)
|
Credits
Singapore GovTech Red Team
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zscaler:client_connector:*:*:*:*:*:macos:*:*"
],
"defaultStatus": "unaffected",
"product": "client_connector",
"vendor": "zscaler",
"versions": [
{
"lessThan": "4.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23483",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-06T17:42:35.559952Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-06T18:08:53.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"MacOS"
],
"product": "Client Connector",
"vendor": "Zscaler",
"versions": [
{
"lessThan": "4.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Singapore GovTech Red Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Improper Input Validation vulnerability in Zscaler Client Connector on MacOS allows OS Command Injection.\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003eThis issue affects Zscaler Client Connector on MacOS \u0026lt;4.2.\u003c/span\u003e"
}
],
"value": "An Improper Input Validation vulnerability in Zscaler Client Connector on MacOS allows OS Command Injection.\u00a0This issue affects Zscaler Client Connector on MacOS \u003c4.2."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-06T15:30:51.851Z",
"orgId": "73c6f63b-efac-410d-a0a9-569700f85a04",
"shortName": "Zscaler"
},
"references": [
{
"url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=macos\u0026applicable_version=4.2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Local Privilege Escalation via lack of input validation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "73c6f63b-efac-410d-a0a9-569700f85a04",
"assignerShortName": "Zscaler",
"cveId": "CVE-2024-23483",
"datePublished": "2024-08-06T15:30:51.851Z",
"dateReserved": "2024-01-17T16:32:36.625Z",
"dateUpdated": "2024-08-06T18:08:53.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zscaler:client_connector:*:*:*:*:*:macos:*:*\", \"versionEndExcluding\": \"4.2\", \"matchCriteriaId\": \"44636F3C-BC75-49FD-9CC4-D451810B0898\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"An Improper Input Validation vulnerability in Zscaler Client Connector on MacOS allows OS Command Injection.\\u00a0This issue affects Zscaler Client Connector on MacOS \u003c4.2.\"}, {\"lang\": \"es\", \"value\": \"Una vulnerabilidad de validaci\\u00f3n de entrada incorrecta en Zscaler Client Connector en MacOS permite la inyecci\\u00f3n de comandos del sistema operativo. Este problema afecta a Zscaler Client Connector en MacOS \u0026lt;4.2.\"}]",
"id": "CVE-2024-23483",
"lastModified": "2024-08-07T21:23:09.080",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"cve@zscaler.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.0, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.0, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
"published": "2024-08-06T16:15:47.850",
"references": "[{\"url\": \"https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=macos\u0026applicable_version=4.2\", \"source\": \"cve@zscaler.com\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "cve@zscaler.com",
"vulnStatus": "Analyzed",
"weaknesses": "[{\"source\": \"cve@zscaler.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-78\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-23483\",\"sourceIdentifier\":\"cve@zscaler.com\",\"published\":\"2024-08-06T16:15:47.850\",\"lastModified\":\"2024-08-07T21:23:09.080\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An Improper Input Validation vulnerability in Zscaler Client Connector on MacOS allows OS Command Injection.\u00a0This issue affects Zscaler Client Connector on MacOS \u003c4.2.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de validaci\u00f3n de entrada incorrecta en Zscaler Client Connector en MacOS permite la inyecci\u00f3n de comandos del sistema operativo. Este problema afecta a Zscaler Client Connector en MacOS \u0026lt;4.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@zscaler.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"cve@zscaler.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zscaler:client_connector:*:*:*:*:*:macos:*:*\",\"versionEndExcluding\":\"4.2\",\"matchCriteriaId\":\"44636F3C-BC75-49FD-9CC4-D451810B0898\"}]}]}],\"references\":[{\"url\":\"https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=macos\u0026applicable_version=4.2\",\"source\":\"cve@zscaler.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-23483\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-06T17:42:35.559952Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:zscaler:client_connector:*:*:*:*:*:macos:*:*\"], \"vendor\": \"zscaler\", \"product\": \"client_connector\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"4.2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-06T18:08:46.216Z\"}}], \"cna\": {\"title\": \"Local Privilege Escalation via lack of input validation\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Singapore GovTech Red Team\"}], \"impacts\": [{\"capecId\": \"CAPEC-88\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-88 OS Command Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Zscaler\", \"product\": \"Client Connector\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"4.2\", \"versionType\": \"custom\"}], \"platforms\": [\"MacOS\"], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=macos\u0026applicable_version=4.2\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An Improper Input Validation vulnerability in Zscaler Client Connector on MacOS allows OS Command Injection.\\u00a0This issue affects Zscaler Client Connector on MacOS \u003c4.2.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An Improper Input Validation vulnerability in Zscaler Client Connector on MacOS allows OS Command Injection.\u0026nbsp;\u003cspan style=\\\"background-color: var(--wht);\\\"\u003eThis issue affects Zscaler Client Connector on MacOS \u0026lt;4.2.\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20 Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"73c6f63b-efac-410d-a0a9-569700f85a04\", \"shortName\": \"Zscaler\", \"dateUpdated\": \"2024-08-06T15:30:51.851Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-23483\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-06T18:08:53.764Z\", \"dateReserved\": \"2024-01-17T16:32:36.625Z\", \"assignerOrgId\": \"73c6f63b-efac-410d-a0a9-569700f85a04\", \"datePublished\": \"2024-08-06T15:30:51.851Z\", \"assignerShortName\": \"Zscaler\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…