CVE-2019-11552 - Vulnerability Details - OpenCVE

ReportizFlow

Code42 Enterprise and Crashplan for Small Business Client version 6.7 before 6.7.5, 6.8 before 6.8.8, and 6.9 before 6.9.4 allows eval injection. A proxy auto-configuration file, crafted by a lesser privileged user, may be used to execute arbitrary code at a higher privilege as the service user.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Code42	Code42 For Enterprise Crashplan For Small Business

Configuration 1 [-]

OR	cpe:2.3:a:code42:code42_for_enterprise::::::::
	cpe:2.3:a:code42:code42_for_enterprise::::::::
	cpe:2.3:a:code42:code42_for_enterprise::::::::

Configuration 2 [-]

OR	cpe:2.3:a:code42:crashplan_for_small_business::::::::
	cpe:2.3:a:code42:crashplan_for_small_business::::::::
	cpe:2.3:a:code42:crashplan_for_small_business::::::::

No data.

References

Link	Providers
https://bordplate.no/blog/en/post/crashplan-privilege-escalation/
https://code42.com/r/support/CVE-2019-11552

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-07-19T13:51:23

Updated: 2024-08-04T22:55:40.988Z

Reserved: 2019-04-25T00:00:00

Link: CVE-2019-11552

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-07-19T14:15:12.297

Modified: 2024-11-21T04:21:19.983

Link: CVE-2019-11552

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Code42 Enterprise and Crashplan for Small Business Client version 6.7 before 6.7.5, 6.8 before 6.8.8, and 6.9 before 6.9.4 allows eval injection. A proxy auto-configuration file, crafted by a lesser privileged user, may be used to execute arbitrary code at a higher privilege as the service user."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-09-18T16:00:45", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bordplate.no/blog/en/post/crashplan-privilege-escalation/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://code42.com/r/support/CVE-2019-11552"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2019-11552", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Code42 Enterprise and Crashplan for Small Business Client version 6.7 before 6.7.5, 6.8 before 6.8.8, and 6.9 before 6.9.4 allows eval injection. A proxy auto-configuration file, crafted by a lesser privileged user, may be used to execute arbitrary code at a higher privilege as the service user."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bordplate.no/blog/en/post/crashplan-privilege-escalation/", "refsource": "MISC", "url": "https://bordplate.no/blog/en/post/crashplan-privilege-escalation/"}, {"name": "https://code42.com/r/support/CVE-2019-11552", "refsource": "CONFIRM", "url": "https://code42.com/r/support/CVE-2019-11552"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:55:40.988Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bordplate.no/blog/en/post/crashplan-privilege-escalation/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://code42.com/r/support/CVE-2019-11552"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-11552", "datePublished": "2019-07-19T13:51:23", "dateReserved": "2019-04-25T00:00:00", "dateUpdated": "2024-08-04T22:55:40.988Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:code42:code42_for_enterprise:*:*:*:*:*:*:*:*", "matchCriteriaId": "28E60B9E-F766-42C2-979C-A1432B1EEE6D", "versionEndExcluding": "6.7.5", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:code42:code42_for_enterprise:*:*:*:*:*:*:*:*", "matchCriteriaId": "8567BB9A-5F40-45BE-A105-3203190A2C18", "versionEndExcluding": "6.8.8", "versionStartIncluding": "6.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:code42:code42_for_enterprise:*:*:*:*:*:*:*:*", "matchCriteriaId": "85A9B2FE-02C9-4E1A-8AB9-E60EB2DCC482", "versionEndExcluding": "6.9.4", "versionStartIncluding": "6.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:code42:crashplan_for_small_business:*:*:*:*:*:*:*:*", "matchCriteriaId": "969D004D-A8EA-4C09-913C-0D837C6645B7", "versionEndExcluding": "6.7.5", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:code42:crashplan_for_small_business:*:*:*:*:*:*:*:*", "matchCriteriaId": "29E9F36F-3722-4C5A-BC81-3473396FE50A", "versionEndExcluding": "6.8.8", "versionStartIncluding": "6.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:code42:crashplan_for_small_business:*:*:*:*:*:*:*:*", "matchCriteriaId": "CD2A4C11-7783-4055-AC24-E100F49A0593", "versionEndExcluding": "6.9.4", "versionStartIncluding": "6.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Code42 Enterprise and Crashplan for Small Business Client version 6.7 before 6.7.5, 6.8 before 6.8.8, and 6.9 before 6.9.4 allows eval injection. A proxy auto-configuration file, crafted by a lesser privileged user, may be used to execute arbitrary code at a higher privilege as the service user."}, {"lang": "es", "value": "Code42 Enterprise y Crashplan for Small Business Client versiones 6.7 anteriores a 6.7.5, versiones 6.8 anteriores a 6.8.8 y versiones 6.9 anteriores a 6.9.4, permite una inyecci\u00f3n eval. Un archivo de autoconfiguraci\u00f3n de proxy, dise\u00f1ado por un usuario menos privilegiado, puede ser usado para ejecutar c\u00f3digo arbitrario con un privilegio superior al de un usuario de servicio."}], "id": "CVE-2019-11552", "lastModified": "2024-11-21T04:21:19.983", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2019-07-19T14:15:12.297", "references": [{"source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"], "url": "https://bordplate.no/blog/en/post/crashplan-privilege-escalation/"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://code42.com/r/support/CVE-2019-11552"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://bordplate.no/blog/en/post/crashplan-privilege-escalation/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://code42.com/r/support/CVE-2019-11552"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "[email protected]", "type": "Primary"}]}