CVE-2020-8290

Published: Dec 27, 2020Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

Backblaze for Windows and Backblaze for macOS before 7.0.0.439 suffer from improper privilege management in `bztransmit` helper due to lack of permission handling and validation before creation of client update directories allowing for local escalation of privilege via rogue client update binary.

Affected (2)

Products: Backblaze: Backblaze

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Backblaze Backblaze	Before 7.0.0.439
Backblaze Backblaze	Before 7.0.0.439

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (6)

https://github.com/geffner/CVE-2020-8290/blob/master/README.md

Source: support@hackerone.com

ExploitThird Party Advisory

https://hackerone.com/reports/818857

Source: support@hackerone.com

Permissions Required

https://youtu.be/OpC6neWd2aM

Source: support@hackerone.com

ExploitThird Party Advisory

https://github.com/geffner/CVE-2020-8290/blob/master/README.md

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://hackerone.com/reports/818857

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

https://youtu.be/OpC6neWd2aM

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.