OpenCVE

An Improper Input Validation vulnerability in Zscaler Client Connector on Linux allows Privilege Escalation. This issue affects Client Connector: before 1.4.0.105

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Zscaler	Client Connector

Configuration 1 [-]

cpe:2.3:a:zscaler:client_connector:*:*:*:*:*:linux:*:*

No data.

References

Link	Providers
https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023

History

Thu, 17 Oct 2024 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-20

Thu, 17 Oct 2024 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-78

MITRE

Status: PUBLISHED

Assigner: Zscaler

Published: 2023-10-23T13:33:57.278Z

Updated: 2024-10-17T15:15:44.693Z

Reserved: 2023-03-23T18:29:15.803Z

Link: CVE-2023-28805

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-10-23T14:15:09.740

Modified: 2024-11-21T07:56:03.027

Link: CVE-2023-28805

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-28805", "assignerOrgId": "73c6f63b-efac-410d-a0a9-569700f85a04", "state": "PUBLISHED", "assignerShortName": "Zscaler", "dateReserved": "2023-03-23T18:29:15.803Z", "datePublished": "2023-10-23T13:33:57.278Z", "dateUpdated": "2024-10-17T15:15:44.693Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Client Connector", "vendor": "Zscaler", "versions": [{"lessThan": "1.4.0.105", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Tesla Red Team"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An Improper Input Validation vulnerability in Zscaler Client Connector on Linux allows Privilege Escalation. This issue affects Client Connector: before 1.4.0.105"}], "value": "An Improper Input Validation vulnerability in Zscaler Client Connector on Linux allows Privilege Escalation. This issue affects Client Connector: before 1.4.0.105"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "73c6f63b-efac-410d-a0a9-569700f85a04", "shortName": "Zscaler", "dateUpdated": "2024-10-17T15:15:44.693Z"}, "references": [{"url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023"}], "source": {"discovery": "UNKNOWN"}, "title": "ZCC on Linux privilege escalation", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T13:51:38.482Z"}, "title": "CVE Program Container", "references": [{"url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zscaler:client_connector:*:*:*:*:*:linux:*:*", "matchCriteriaId": "265D988F-CAC9-45C0-A663-257BD0DCEF15", "versionEndExcluding": "1.4.0.105", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An Improper Input Validation vulnerability in Zscaler Client Connector on Linux allows Privilege Escalation. This issue affects Client Connector: before 1.4.0.105"}, {"lang": "es", "value": "Una vulnerabilidad de validaci\u00f3n de entrada incorrecta en Zscaler Client Connector en Linux permite la escalada de privilegios. Este problema afecta a Client Connector: anterior a 1.4.0.105"}], "id": "CVE-2023-28805", "lastModified": "2024-11-21T07:56:03.027", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 4.7, "source": "cve@zscaler.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-23T14:15:09.740", "references": [{"source": "cve@zscaler.com", "tags": ["Release Notes"], "url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023"}], "sourceIdentifier": "cve@zscaler.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "cve@zscaler.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}