Vulnerability Details : CVE-2020-25989
Privilege escalation via arbitrary file write in pritunl electron client 1.0.1116.6 through v1.2.2550.20. Successful exploitation of the issue may allow an attacker to execute code on the effected system with root privileges.
Vulnerability category: Execute codeGain privilege
Products affected by CVE-2020-25989
- Pritunl » Pritunl-client-electronVersions from including (>=) 1.0.1116.6 and up to, including, (<=) 1.2.2550.20cpe:2.3:a:pritunl:pritunl-client-electron:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-25989
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 15 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-25989
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST | |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2020-25989
-
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-25989
-
https://vkas-afk.github.io/vuln-disclosures/
Arbitrary File Write in Pritunl (CVE 2020-25989) | vuln-disclosuresExploit;Third Party Advisory
-
https://github.com/pritunl/pritunl-client-electron/commit/89f8c997c6f93e724f68f76f7f47f8891d9acc2d
Remove file before io write file · pritunl/pritunl-client-electron@89f8c99 · GitHubPatch;Third Party Advisory
Jump to