#VU50660 Improper Privilege Management in OpenLiteSpeed
Vulnerability identifier: #VU50660
Vulnerability risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-269
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
OpenLiteSpeed
Server applications /
Web servers
Vendor: LiteSpeed Technologies
Description
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper privilege management. A remote administrator can use the extUser or extGroup parameters to gain sudo access and escalate privileges on the system.
Mitigation
Install update from vendor's website.
Vulnerable software versions
OpenLiteSpeed: 1.7.0 - 1.7.8
External links
http://github.com/litespeedtech/openlitespeed/issues/217
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
