CVE-2024-6240 HIGH

CVE-2024-6240: Improper privilege management vulnerability in Parallels Desktop

Vendor Parallels
Product Parallels Desktop
Weakness CWE-269
Published June 21, 2024
Last update August 1, 2024

CVSS base score

7.7/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Improper privilege management vulnerability in Parallels Desktop Software, which affects versions earlier than 19.3.0. An attacker could add malicious code in a script and populate the BASH_ENV environment variable with the path to the malicious script, executing on application startup. An attacker could exploit this vulnerability to escalate privileges on the system.

Key dates

02Disclosure timeline

June 21, 2024 CVE published
August 1, 2024 Record updated