CVE-2020-1066

CWE-250 CWE-269 — Improper Privilege Management7 documents7 sources

Severity

7.8HIGH

EPSS

29.7%

top 3.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Microsoft .net Framework 3.0 Microsoft Microsoft .net Framework 3.5.1 Microsoft .net Framework

Timeline

PublishedMay 21

Latest updateMay 24

Description

An elevation of privilege vulnerability exists in .NET Framework which could allow an attacker to elevate their privilege level.To exploit the vulnerability, an attacker would first have to access the local machine, and then run a malicious program.The update addresses the vulnerability by correcting how .NET Framework activates COM objects., aka '.NET Framework Elevation of Privilege Vulnerability'.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶NVDmicrosoft/.net_framework3.0, 3.5.1+1

▶CVEListV5microsoft/microsoft_.net_framework_3.0Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2, Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2+1

▶CVEListV5microsoft/microsoft_.net_framework_3.5.14 versions+3

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-jp98-j3r8-w99v: An elevation of privilege vulnerability exists in↗2022-05-24

▶

CVEList

CVE-2020-1066: An elevation of privilege vulnerability exists in↗2020-05-21

▶

VulnCheck

.NET Framework Elevation of Privilege Vulnerability↗2020

▶

📋Vendor Advisories

Red Hat

NET: local elevation of privilege↗2020-05-12

▶

Microsoft

.NET Framework Elevation of Privilege Vulnerability↗2020-05-12

▶

💬Community

Bugzilla

CVE-2020-1066 .NET: local elevation of privilege↗2020-06-29

▶