Privilege escalation in IBM i Access Client Solutions



Published: 2022-11-22
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-40746
CWE-ID CWE-426
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe
IBM i Access Client Solutions
Client/Desktop applications / Software for system administration

Vendor

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Untrusted search path

EUVDB-ID: #VU69508

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-40746

CWE-ID: CWE-426 - Untrusted Search Path

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insecure search path when loading .dll files. A local user can place a specially crafted .dll file in the current working application directory and execute arbitrary code with elevated privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

IBM i Access Client Solutions: before 1.1.9.1


CPE2.3
External links

http://exchange.xforce.ibmcloud.com/vulnerabilities/236581
http://www.ibm.com/support/pages/node/6840359

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###