A UNIX Symbolic Link (Symlink) Following vulnerability in keylime of openSUSE Tumbleweed allows local attackers to escalate from the keylime user to root. This issue affects: openSUSE Tumbleweed keylime versions prior to 6.4.2-1.1.
Vulnerabilities in the Drive Composer allow a low privileged attacker to create and write to a file anywhere on the file system as SYSTEM with arbitrary content as long as the file does not already exist. The Drive Composer installer file allows a low-privileged user to run a "repair" operation on the product.
mail.local in NetBSD versions 6.0 through 6.0.6, 6.1 through 6.1.5, and 7.0 allows local users to change ownership of or append data to arbitrary files on the target system via a symlink attack on the user mailbox.
Link Following Local Privilege Escalation Vulnerability in TuneUp Service in AVG TuneUp Version 23.4 (build 15592) on Windows 10 allows local attackers to escalate privileges and execute arbitrary code in the context of SYSTEM via creating a symbolic link and leveraging a TOCTTOU (time-of-check to time-of-use) attack.
Link Following Local Privilege Escalation Vulnerability in TuneupSvc in Avast Cleanup Premium Version 24.2.16593.17810 on Windows 10 Pro x64 allows local attackers to escalate privileges and execute arbitrary code in the context of SYSTEM via creating a symbolic link and leveraging a TOCTTOU (time-of-check to time-of-use) attack.
An anti-spyware engine link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
An updater link following vulnerability in the Trend Micro Apex One agent could allow a local attacker to abuse the updater to delete an arbitrary folder, leading for a local privilege escalation on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
Wacom Center WTabletServicePro Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Wacom Center. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within WTabletServicePro.exe. By creating a symbolic link, an attacker can abuse the service to create an arbitrary file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-25359.
Panda Security Dome Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Panda Security Dome. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Hotspot Shield. By creating a junction, an attacker can abuse the application to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-23478.
A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the buildkite-agent user to change ownership of arbitrary directories via the PIPELINE_PATH variable in the fix-buildkite-agent-builds-permissions script.
Intel Driver & Support Assistant Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Intel Driver & Support Assistant. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the DSA Service. By creating a symbolic link, an attacker can abuse the service to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-21846.
replay-sorcery-kms in Replay Sorcery 0.6.0 allows a local attacker to gain root privileges via a symlink attack on /tmp/replay-sorcery or /tmp/replay-sorcery/device.sock.
A link following vulnerability in the Trend Micro Deep Security 20.0 and Trend Micro Cloud One - Endpoint and Workload Security Agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
Trend Micro Security (Consumer) 2021 and 2020 are vulnerable to a directory junction vulnerability which could allow an attacker to exploit the system to escalate privileges and create a denial of service.
Bluetooth HCI Adaptor from Realtek has a Link Following vulnerability. Local attackers with regular privileges can create a symbolic link with the same name as a specific file, causing the product to delete arbitrary files pointed to by the link. Subsequently, attackers can leverage arbitrary file deletion to privilege escalation.
In Malwarebytes before 4.5.23, a symbolic link may be used delete any arbitrary file on the system by exploiting the local quarantine system. It can also lead to privilege escalation in certain scenarios.
Measuresoft ScadaPro Server and Client (All Versions) do not properly resolve links before file access; this could allow privilege escalation..
Dell Inventory Collector Client, versions prior to 12.7.0, contains an Improper Link Resolution Before File Access vulnerability. A low-privilege attacker with local access may exploit this vulnerability, potentially resulting in Elevation of Privileges and unauthorized file system access.
The Zoom Client for Meetings for Windows in all versions before version 5.3.2 writes log files to a user writable directory as a privileged user during the installation or update of the client. This could allow for potential privilege escalation if a link was created between the user writable directory used and a non-user writable directory.
The Improper link resolution before file access ('Link Following') vulnerability in SonicWall Connect Tunnel (version 12.4.3.271 and earlier of Windows client) allows users with standard privileges to delete arbitrary folders and files, potentially leading to local privilege escalation attack.
A UNIX Symbolic Link (Symlink) Following vulnerability in python-postorius of openSUSE Leap 15.2, Factory allows local attackers to escalate from users postorius or postorius-admin to root. This issue affects: openSUSE Leap 15.2 python-postorius version 1.3.2-lp152.1.2 and prior versions. openSUSE Factory python-postorius version 1.3.4-2.1 and prior versions.
Windows Common Log File System Driver Elevation of Privilege Vulnerability
In Cylance CylancePROTECT before 1470, an unprivileged local user can obtain SYSTEM privileges because users have Modify access to the %PROGRAMFILES%\Cylance\Desktop\log folder, the CyUpdate process grants users Modify access to new files created in this folder, and a new file can be a symlink chain to a pathname of an arbitrary DLL that CyUpdate uses.
kwallet-pam in KDE KWallet before 5.12.6 allows local users to obtain ownership of arbitrary files via a symlink attack.
Windows Storage Elevation of Privilege Vulnerability
VestaCP through 0.9.8-24 allows attackers to gain privileges by creating symlinks to files for which they lack permissions. After reading the RKEY value from user.conf under the /usr/local/vesta/data/users/admin directory, the admin password can be changed via a /reset/?action=confirm&user=admin&code= URI. This occurs because chmod is used unsafely.
Windows Installer Elevation of Privilege Vulnerability
Windows Container Manager Service Elevation of Privilege Vulnerability
Windows Runtime C++ Template Library Elevation of Privilege Vulnerability
The nginx package before 1.6.2-5+deb8u3 on Debian jessie, the nginx packages before 1.4.6-1ubuntu3.6 on Ubuntu 14.04 LTS, before 1.10.0-0ubuntu0.16.04.3 on Ubuntu 16.04 LTS, and before 1.10.1-0ubuntu1.1 on Ubuntu 16.10, and the nginx ebuild before 1.10.2-r3 on Gentoo allow local users with access to the web server user account to gain root privileges via a symlink attack on the error log.
Azure Network Watcher VM Agent Elevation of Privilege Vulnerability
Windows System Assessment Tool Elevation of Privilege Vulnerability
Visual Studio Elevation of Privilege Vulnerability
Windows WalletService Elevation of Privilege Vulnerability
Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability
An issue was discovered in file profile.go in function GetCPUProfile in beego through 2.0.2, allows attackers to launch symlink attacks locally.
An issue was discovered in file profile.go in function MemProf in beego through 2.0.2, allows attackers to launch symlink attacks locally.
avahi-daemon-check-dns.sh in the Debian avahi package through 0.8-4 is executed as root via /etc/network/if-up.d/avahi-daemon, and allows a local attacker to cause a denial of service or create arbitrary empty files via a symlink attack on files under /run/avahi-daemon. NOTE: this only affects the packaging for Debian GNU/Linux (used indirectly by SUSE), not the upstream Avahi product.
An improper symlink following in FortiClient for Mac 6.4.3 and below may allow an non-privileged user to execute arbitrary privileged shell commands during installation phase.
<p>An elevation of privilege vulnerability exists in Microsoft Windows when Folder redirection has been enabled via Group Policy. When folder redirection file server is co-located with Terminal server, an attacker who successfully exploited the vulnerability would be able to begin redirecting another user's personal data to a created folder.</p> <p>To exploit the vulnerability, an attacker can create a new folder under the Folder Redirection root path and create a junction on a newly created User folder. When the new user logs in, Folder Redirection would start redirecting to the folder and copying personal data.</p> <p>This elevation of privilege vulnerability can only be addressed by reconfiguring Folder Redirection with Offline files and restricting permissions, and NOT via a security update for affected Windows Servers. See the <strong>FAQ</strong> section of this CVE for configuration guidance.</p>
Windows Update Stack Elevation of Privilege Vulnerability
Windows User Account Profile Picture Elevation of Privilege Vulnerability
AMD fglrx-driver before 15.9 allows local users to gain privileges via a symlink attack. NOTE: This vulnerability exists due to an incomplete fix for CVE-2015-7723.
The chroot, jail, and zone connection plugins in ansible before 1.9.2 allow local users to escape a restricted environment via a symlink attack.
cci_dir in IBM U2 UniVerse 10.0.0.9 and earlier creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files.
HashiCorp Vagrant's Windows installer targeted a custom location with a non-protected path that could be junctioned, introducing potential for unauthorized file system writes. Fixed in Vagrant 2.4.0.
Azure Connected Machine Agent Elevation of Privilege Vulnerability
Libcontainer 1.6.0, as used in Docker Engine, allows local users to escape containerization ("mount namespace breakout") and write to arbitrary file on the host system via a symlink attack in an image when respawning a container.
Automatic Bug Reporting Tool (ABRT) allows local users to read, change the ownership of, or have other unspecified impact on arbitrary files via a symlink attack on (1) /var/tmp/abrt/*/maps, (2) /tmp/jvm-*/hs_error.log, (3) /proc/*/exe, (4) /etc/os-release in a chroot, or (5) an unspecified root directory related to librpm.