CVE-2007-0603 - PGP Desktop before 9.5.1 does not validate data objects received over the (1) \pipe\pgpserv named pi

CVE-2007-0603

Summary

PGP Desktop before 9.5.1 does not validate data objects received over the (1) \pipe\pgpserv named pipe for PGPServ.exe or the (2) \pipe\pgpsdkserv named pipe for PGPsdkServ.exe, which allows remote authenticated users to gain privileges by sending a data object representing an absolute pointer, which causes code execution at the corresponding address.

References

Vulnerable Configurations

cpe:2.3:a:pgp:corporate_desktop:9.5:*:*:*:*:*:*:*
cpe:2.3:a:pgp:corporate_desktop:9.5:*:*:*:*:*:*:*

CVSS

Base:	7.1 (as of 16-10-2018 - 16:33)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	HIGH	SINGLE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:H/Au:S/C:C/I:C/A:C

refmap via4

bid	22247
bugtraq	20070125 Medium Risk Vulnerability in PGP Desktop
cert-vn	VU#102465
misc	http://www.ngssoftware.com/advisories/medium-risk-vulnerability-in-pgp-desktop/
osvdb	32969 32970
sectrack	1017563
secunia	23938
sreason	2203
vulnwatch	20070125 Medium Risk Vulnerability in PGP Desktop
vupen	ADV-2007-0356

Last major update

16-10-2018 - 16:33

Published

30-01-2007 - 18:28

Last modified

16-10-2018 - 16:33