Incorrect Execution-Assigned Permissions

CVE-2023-50914

Medium

6.7/10

Summary

A Privilege Escalation issue in the inter-process communication procedure from GOG Galaxy (Beta) 2.0.67.2 through v2.0.71.2 allows authentictaed users to change the DACL of arbitrary system directories to include Everyone full control permissions by modifying the FixDirectoryPrivileges instruction parameters sent from GalaxyClient.exe to GalaxyClientService.exe.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: HIGH
Confidentiality Impact: HIGH
Availability Impact: LOW

CWE-279 - Incorrect Execution-Assigned Permissions

While it is executing, the software sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.

References

Advisory Timeline

Published Apr 30, 2024

Incorrect Execution-Assigned Permissions

CVE-2023-50914

Summary

CWE-279 - Incorrect Execution-Assigned Permissions

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS