CVE-2023-27830 — Improper Privilege Management in Tightvnc

CWE-269 — Improper Privilege Management3 documents3 sources

Severity

9.0CRITICALNVD

EPSS

0.4%

top 37.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tightvnc Debian Tightvnc

Timeline

PublishedApr 12

Description

TightVNC before v2.8.75 allows attackers to escalate privileges on the host operating system via replacing legitimate files with crafted files when executing a file transfer. This is due to the fact that TightVNC runs in the backend as a high-privileges account.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages2 packages

▶NVDtightvnc/tightvnc< 2.8.75

▶debiandebian/tightvnc

🔴Vulnerability Details

GHSA

GHSA-w347-2542-wgjq: TightVNC before v2↗2023-04-12

▶

📋Vendor Advisories

Debian

CVE-2023-27830: tightvnc - TightVNC before v2.8.75 allows attackers to escalate privileges on the host oper...↗2023

▶