CVE-2020-24574

{"id": "CVE-2020-24574", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2020-08-21T04:15:10.787", "references": [{"url": "https://github.com/jtesta/gog_galaxy_client_service_poc", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/jtesta/gog_galaxy_client_service_poc/issues/1#issuecomment-926932218", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.gog.com/galaxy", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.positronsecurity.com/blog/2020-08-13-gog-galaxy_client-local-privilege-escalation_deuce/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "The client (aka GalaxyClientService.exe) in GOG GALAXY through 2.0.41 (as of 12:58 AM Eastern, 9/26/21) allows local privilege escalation from any authenticated user to SYSTEM by instructing the Windows service to execute arbitrary commands. This occurs because the attacker can inject a DLL into GalaxyClient.exe, defeating the TCP-based \"trusted client\" protection mechanism."}, {"lang": "es", "value": "El cliente (tambi\u00e9n conocido como GalaxyClientService.exe) en GOG GALAXY a trav\u00e9s de la versi\u00f3n 2.0.41 (a partir de las 12:58 AM del este, 9/26/21) permite la escalada de privilegios local de cualquier usuario autenticado a SYSTEM al instruir al servicio de Windows para ejecutar comandos arbitrarios. Esto ocurre porque el atacante puede inyectar una DLL en GalaxyClient.exe, derrotando el mecanismo de protecci\u00f3n del \"cliente de confianza\" basado en TCP"}], "lastModified": "2022-04-29T15:04:11.840", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gog:galaxy:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "5314B5BB-CE6A-4BD1-B9CE-ACA13D7A7349", "versionEndIncluding": "2.0.41", "versionStartIncluding": "2.0.13"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}