CVE-2021-26738 — Untrusted Search Path in Client Connector

CWE-426 — Untrusted Search Path3 documents3 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 88.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zscaler Client Connector

Timeline

PublishedOct 23

Description

Zscaler Client Connector for macOS prior to 3.7 had an unquoted search path vulnerability via the PATH variable. A local adversary may be able to execute code with root privileges.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5zscaler/client_connector< 3.7

▶NVDzscaler/client_connector< 3.7

🔴Vulnerability Details

CVEList

Privilege Escalation for ZCC macOS via PATH Variable↗2023-10-23

▶

GHSA

GHSA-cr8h-8gv8-gxxv: Zscaler Client Connector for macOS prior to 3↗2023-10-23

▶