CVE-2019-14743
published 2019-08-07CVE-2019-14743: In Valve Steam Client for Windows through 2019-08-07, HKLM\SOFTWARE\Wow6432Node\Valve\Steam has explicit "Full control" for the Users group, which allows local…
PriorityP425medium6.6CVSS 3.0
AVPACLPRLUINSUCHIHAH
EPSS
0.62%
45.0th percentile
In Valve Steam Client for Windows through 2019-08-07, HKLM\SOFTWARE\Wow6432Node\Valve\Steam has explicit "Full control" for the Users group, which allows local users to gain NT AUTHORITY\SYSTEM access.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| valvesoftware | steam_client | <= 2019-08-07 | — |
| valvesoftware | steam_client | <= 2019-08-16 | — |
CVSS provenance
nvdv3.06.6MEDIUMCVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mqr5-g657-83ch: Valve Steam Client for Windows through 2019-08-16 allows privilege escalation (to NT AUTHORITY\SYSTEM) because local users can replace the current ver
ghsa_unreviewed·2022-05-24·CVSS 6.6
CVE-2019-15315 [MEDIUM] GHSA-mqr5-g657-83ch: Valve Steam Client for Windows through 2019-08-16 allows privilege escalation (to NT AUTHORITY\SYSTEM) because local users can replace the current ver
Valve Steam Client for Windows through 2019-08-16 allows privilege escalation (to NT AUTHORITY\SYSTEM) because local users can replace the current versions of SteamService.exe and SteamService.dll with older versions that lack the CVE-2019-14743 patch.
GHSA
GHSA-377c-pvc8-rpq3: ** DISPUTED ** In Valve Steam Client for Windows through 2019-08-07, HKLM\SOFTWARE\Wow6432Node\Valve\Steam has explicit "Full control" for the Users g
ghsa_unreviewed·2022-05-24
CVE-2019-14743 [HIGH] GHSA-377c-pvc8-rpq3: ** DISPUTED ** In Valve Steam Client for Windows through 2019-08-07, HKLM\SOFTWARE\Wow6432Node\Valve\Steam has explicit "Full control" for the Users g
** DISPUTED ** In Valve Steam Client for Windows through 2019-08-07, HKLM\SOFTWARE\Wow6432Node\Valve\Steam has explicit "Full control" for the Users group, which allows local users to gain NT AUTHORITY\SYSTEM access. NOTE: the vendor disputes the significance of this finding; the discoverer was reportedly told that the Steam threat model excludes "Attacks that require physical access to the user's device" and "Attacks that require the ability to drop files in arbitrary locations on the user's filesystem" (which might apply to the attacker's ability to create links under HKLM\SOFTWARE\Wow6432Node\Valve\Steam\Apps).
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2019-08-07
Published