CVE-2024-6240

Improper privilege management vulnerability in Parallels Desktop Software, which affects versions earlier than 19.3.0. An attacker could add malicious code in a script and populate the BASH_ENV environment variable with the path to the malicious script, executing on application startup. An attacker could exploit this vulnerability to escalate privileges on the system.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/improper-privilege-management-vulnerability-parallels-desktop	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:parallels:parallels_desktop:*:*:*:*:*:macos:*:*

History

24 Jun 2024, 19:10

Type	Values Removed	Values Added
CPE		cpe:2.3:a:parallels:parallels_desktop::::::macos::*
Summary		(es) Vulnerabilidad de gestión de privilegios incorrecta en Parallels Desktop Software, que afecta a versiones anteriores a la 19.3.0. Un atacante podría agregar código malicioso en un script y completar la variable de entorno BASH_ENV con la ruta al script malicioso, ejecutándose al iniciar la aplicación. Un atacante podría aprovechar esta vulnerabilidad para aumentar los privilegios en el sistema.
References	~~() https://www.incibe.es/en/incibe-cert/notices/aviso/improper-privilege-management-vulnerability-parallels-desktop -~~	() https://www.incibe.es/en/incibe-cert/notices/aviso/improper-privilege-management-vulnerability-parallels-desktop - Third Party Advisory
First Time		Parallels parallels Desktop Parallels
CVSS	v2 : ~~unknown~~ v3 : ~~7.7~~	v2 : unknown v3 : 10.0

21 Jun 2024, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-21 14:15

Updated : 2024-06-24 19:10

NVD link : CVE-2024-6240

Mitre link : CVE-2024-6240

CVE.ORG link : CVE-2024-6240

JSON object : View

Products Affected

parallels

parallels_desktop

CWE

CWE-269

Improper Privilege Management

{"id": "CVE-2024-6240", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 1.3}]}, "published": "2024-06-21T14:15:14.240", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/improper-privilege-management-vulnerability-parallels-desktop", "tags": ["Third Party Advisory"], "source": "cve-coordination@incibe.es"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "Improper privilege management vulnerability in Parallels Desktop Software, which affects versions earlier than 19.3.0. An attacker could add malicious code in a script and populate the BASH_ENV environment variable with the path to the malicious script, executing on application startup. An attacker could exploit this vulnerability to escalate privileges on the system."}, {"lang": "es", "value": "Vulnerabilidad de gesti\u00f3n de privilegios incorrecta en Parallels Desktop Software, que afecta a versiones anteriores a la 19.3.0. Un atacante podr\u00eda agregar c\u00f3digo malicioso en un script y completar la variable de entorno BASH_ENV con la ruta al script malicioso, ejecut\u00e1ndose al iniciar la aplicaci\u00f3n. Un atacante podr\u00eda aprovechar esta vulnerabilidad para aumentar los privilegios en el sistema."}], "lastModified": "2024-06-24T19:10:38.983", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:parallels:parallels_desktop:*:*:*:*:*:macos:*:*", "vulnerable": true, "matchCriteriaId": "C8A30945-3C3C-4341-96FB-E64872B6559E", "versionEndExcluding": "19.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@incibe.es"}