CVE-2023-34046

CWE-3674 documents4 sources

Severity

7.0HIGH

EPSS

0.1%

top 65.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Fusion

Timeline

PublishedOct 20

Description

VMware Fusion(13.x prior to 13.5) contains a TOCTOU (Time-of-check Time-of-use) vulnerability that occurs during installation for the first time (the user needs to drag or copy the application to a folder from the '.dmg' volume) or when installing an upgrade. A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed or being installed for the first time.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5vmware/fusion13.x — 13.5

▶NVDvmware/fusion13.0.0 — 13.5

🔴Vulnerability Details

CVEList

VMware Fusion TOCTOU local privilege escalation vulnerability↗2023-10-20

▶

GHSA

GHSA-vrpg-hfmh-2gwf: VMware Fusion(13↗2023-10-20

▶

📋Vendor Advisories

VMware

VMware Fusion and Workstation updates address privilege escalation and information disclosure vulnerabilities (CVE-2023-34044, CVE-2023-34045, CVE-2023-34046)↗2023-10-19

▶