CVE-2024-40872 HIGH

CVE-2024-40872: Elevation of privilege in Absolute Secure Access clients and servers

Vendor Absolute Security
Product Secure Access
Weakness CWE-822
Published July 25, 2024
Last update August 2, 2024

CVSS base score

8.4/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

There is an elevation of privilege vulnerability in server and client components of Absolute Secure Access prior to version 13.07. Attackers with local access and valid desktop user credentials can elevate their privilege to system level by passing invalid address data to the vulnerable component. This could be used to manipulate process tokens to elevate the privilege of a normal process to System. The scope is changed, the impact to system confidentiality and integrity is high, the impact to the availability of the effected component is none.

Key dates

02Disclosure timeline

July 25, 2024 CVE published
August 2, 2024 Record updated