This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Access 6.5.3 (39313) Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Dispatcher service. The service loads an OpenSSL configuration file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-15213.
References
Link | Resource |
---|---|
https://kb.parallels.com/en/129010 | Vendor Advisory |
https://www.zerodayinitiative.com/advisories/ZDI-22-945/ | Third Party Advisory VDB Entry |
Configurations
History
27 Jul 2022, 18:09
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-427 | |
First Time |
Parallels
Parallels parallels Access |
|
CPE | cpe:2.3:a:parallels:parallels_access:6.5.4_\(39313\):*:*:*:*:*:*:* | |
References | (MISC) https://kb.parallels.com/en/129010 - Vendor Advisory | |
References | (MISC) https://www.zerodayinitiative.com/advisories/ZDI-22-945/ - Third Party Advisory, VDB Entry | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.8 |
18 Jul 2022, 15:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-07-18 15:15
Updated : 2023-12-10 14:35
NVD link : CVE-2022-34900
Mitre link : CVE-2022-34900
CVE.ORG link : CVE-2022-34900
JSON object : View
Products Affected
parallels
- parallels_access
CWE
CWE-427
Uncontrolled Search Path Element