CVE-2023-4996 MEDIUM

CVE-2023-4996: Local privilege escalation

Vendor Netskope
Product Netskope Client
Weakness CWE-281
Published November 6, 2023
Last update September 5, 2024

CVSS base score

6.6/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

What the vulnerability does

01Description

Netskope was made aware of a security vulnerability in its NSClient product for version 100 & prior where a malicious non-admin user can disable the Netskope client by using a specially-crafted package. The root cause of the problem was a user control code when called by a Windows ServiceController did not validate the permissions associated with the user before executing the user control code. This user control code had permissions to terminate the NSClient service. 

Key dates

02Disclosure timeline

November 6, 2023 CVE published
September 5, 2024 Record updated