Main Vulnerability Database Vulnerabilities #VU48698

#VU48698 Code Injection in inSync Client for Mac - CVE-2019-4000

Published: February 25, 2020 / Updated: November 27, 2020

Vulnerability identifier: #VU48698

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: CVE-2019-4000

CWE-ID: CWE-94

Exploitation vector: Local access

Exploit availability: Public exploit is available

Vulnerable software:
inSync Client for Mac

Software vendor:
Druva

Description

The vulnerability allows a local user to execute arbitrary code on the target system with elevated privileges.

The vulnerability exists due to improper input validation within the daemon.set_file_acl() method in inSyncDecommission. A local user can send a specially crafted RPC request to port 6059/tcp and execute arbitrary code on the target system with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install updates from vendor's website.

External links

https://www.tenable.com/security/research/tra-2020-12

#VU48698 Code Injection in inSync Client for Mac - CVE-2019-4000

Description

Remediation

External links

Please verify you're human