CVE-2024-11220
Dec. 6, 2024, 6:15 p.m.
Tags
CVSS Score
Product(s) Impacted
OAS
Description
A local low-level user on the server machine with credentials to the running OAS services can create and execute a report with an rdlx file on the server system itself. Any code within the rdlx file of the report executes with SYSTEM privileges, resulting in privilege escalation.
Weaknesses
CWE-279
Incorrect Execution-Assigned Permissions
While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.
CWE ID: 279Date
Published: Dec. 6, 2024, 6:15 p.m.
Last Modified: Dec. 6, 2024, 6:15 p.m.
Status : Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
ics-cert@hq.dhs.gov
CVSS Data
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
Exploitability Score
Impact Score
Base Severity
HIGHCVSS Vector String
The CVSS vector string provides an in-depth view of the vulnerability metrics.
View Vector StringCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H