CVE-2021-23175

NVIDIA GeForce Experience contains a vulnerability in user authorization, where GameStream does not correctly apply individual user access controls for users on the same device, which, with user intervention, may lead to escalation of privileges, information disclosure, data tampering, and denial of service, affecting other resources beyond the intended security authority of GameStream.

CVSS v3 8.2 HIGH
CVSS v2.0 4.4 MEDIUM

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.5 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

4.4^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 3.4 / Impact : 6.4

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://nvidia.custhelp.com/app/answers/detail/a_id/5295	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:nvidia:geforce_experience:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

History

07 Jan 2022, 18:26

Type	Values Removed	Values Added
CWE		CWE-863
References	~~(CONFIRM) https://nvidia.custhelp.com/app/answers/detail/a_id/5295 -~~	(CONFIRM) https://nvidia.custhelp.com/app/answers/detail/a_id/5295 - Vendor Advisory
CPE		cpe:2.3:o:microsoft:windows:-:::::::* cpe:2.3:a:nvidia:geforce_experience::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 4.4 v3 : 8.2
First Time		Microsoft windows Microsoft Nvidia geforce Experience Nvidia

23 Dec 2021, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-12-23 16:15

Updated : 2023-12-10 14:09

NVD link : CVE-2021-23175

Mitre link : CVE-2021-23175

CVE.ORG link : CVE-2021-23175

JSON object : View

Products Affected

microsoft

windows

nvidia

geforce_experience

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2021-23175", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.4, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.5}, {"type": "Secondary", "source": "psirt@nvidia.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.5}]}, "published": "2021-12-23T16:15:07.863", "references": [{"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5295", "tags": ["Vendor Advisory"], "source": "psirt@nvidia.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "NVIDIA GeForce Experience contains a vulnerability in user authorization, where GameStream does not correctly apply individual user access controls for users on the same device, which, with user intervention, may lead to escalation of privileges, information disclosure, data tampering, and denial of service, affecting other resources beyond the intended security authority of GameStream."}, {"lang": "es", "value": "NVIDIA GeForce Experience contiene una vulnerabilidad en la autorizaci\u00f3n de usuarios, en la que GameStream no aplica correctamente los controles de acceso individuales para los usuarios del mismo dispositivo, lo que, con la intervenci\u00f3n del usuario, puede conllevar a una escalada de privilegios, divulgaci\u00f3n de informaci\u00f3n, manipulaci\u00f3n de datos y denegaci\u00f3n de servicio, afectando a otros recursos m\u00e1s all\u00e1 de la autoridad de seguridad prevista de GameStream"}], "lastModified": "2022-01-07T18:26:24.160", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nvidia:geforce_experience:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C7A425C6-BFF3-48C6-98F9-B5D72816584E", "versionEndExcluding": "3.24.0.126"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "psirt@nvidia.com"}