All the vulnerabilites related to Cloudflare - WARP
cve-2023-3747
Vulnerability from cvelistv5
Published
2023-09-07 12:11
Modified
2024-09-26 14:17
Severity ?
EPSS score ?
Summary
Zero Trust Administrators have the ability to disallow end users from disabling WARP on their devices. Override codes can also be created by the Administrators to allow a device to temporarily be disconnected from WARP, however, due to lack of server side validation, an attacker with local access to the device, could extend the maximum allowed disconnected time of WARP client granted by an override code by changing the date & time on the local device where WARP is running.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Cloudflare | WARP Client |
Version: 0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:57.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://play.google.com/store/apps/details?id=com.cloudflare.onedotonedotonedotone"
},
{
"tags": [
"related",
"x_transferred"
],
"url": "https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#retrieve-the-override-code"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3747",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T14:00:41.348588Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T14:17:57.684Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android"
],
"product": "WARP Client",
"vendor": "Cloudflare",
"versions": [
{
"changes": [
{
"at": "6.29",
"status": "unaffected"
}
],
"lessThan": "6.29",
"status": "affected",
"version": "0",
"versionType": "release"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eZero Trust Administrators have the ability to disallow end users from disabling WARP on their devices. Override codes can also be created by the Administrators to allow a device to temporarily be disconnected from WARP, however, due to lack of server side validation, an attacker with local access to the device, could extend the maximum allowed disconnected time of WARP client granted by an override code by changing the date \u0026amp; time on the local device where WARP is running.\u003c/p\u003e"
}
],
"value": "Zero Trust Administrators have the ability to disallow end users from disabling WARP on their devices. Override codes can also be created by the Administrators to allow a device to temporarily be disconnected from WARP, however, due to lack of server side validation, an attacker with local access to the device, could extend the maximum allowed disconnected time of WARP client granted by an override code by changing the date \u0026 time on the local device where WARP is running.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-207",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-207 Removing Important Client Functionality"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-602",
"description": "CWE-602",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-07T12:11:01.435Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://play.google.com/store/apps/details?id=com.cloudflare.onedotonedotonedotone"
},
{
"tags": [
"related"
],
"url": "https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#retrieve-the-override-code"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insufficient Validation on Override Codes for Always-Enabled WARP Mode",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2023-3747",
"datePublished": "2023-09-07T12:11:01.435Z",
"dateReserved": "2023-07-18T08:43:28.555Z",
"dateUpdated": "2024-09-26T14:17:57.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-0652
Vulnerability from cvelistv5
Published
2023-04-06 09:42
Modified
2024-08-02 05:17
Severity ?
EPSS score ?
Summary
Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WARP Client for Windows (<= 2022.12.582.0) allowed a malicious attacker to forge the destination of the hardlink and escalate privileges, overwriting SYSTEM protected files.
As Cloudflare WARP client for Windows (up to version 2022.5.309.0) allowed creation of mount points from its ProgramData folder, during installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Cloudflare | WARP |
Version: 0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:17:50.356Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release"
},
{
"tags": [
"x_transferred"
],
"url": "https://developers.cloudflare.com/warp-client/get-started/windows/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-xmhj-9p83-xvw9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"MSI"
],
"packageName": "WARP Installer",
"platforms": [
"Windows"
],
"product": "WARP",
"vendor": "Cloudflare",
"versions": [
{
"changes": [
{
"at": "2023.3.381.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "2022.5.309.0",
"status": "affected",
"version": "0",
"versionType": "N/A"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jan-Luca Gruber"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ch3\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eDue to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WARP Client for Windows (\u0026lt;= 2022.12.582.0) allowed a malicious attacker to forge the destination of the hardlink and escalate privileges, overwriting SYSTEM protected files.\u003c/span\u003e\u003cbr\u003e\u003c/h3\u003e\u003cp\u003eAs Cloudflare WARP client for Windows (up to version 2022.5.309.0) allowed creation of mount points from its ProgramData folder, during installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WARP Client for Windows (\u003c= 2022.12.582.0) allowed a malicious attacker to forge the destination of the hardlink and escalate privileges, overwriting SYSTEM protected files.\nAs Cloudflare WARP client for Windows (up to version 2022.5.309.0) allowed creation of mount points from its ProgramData folder, during installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files.\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-06T09:48:14.685Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release"
},
{
"url": "https://developers.cloudflare.com/warp-client/get-started/windows/"
},
{
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-xmhj-9p83-xvw9"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Local Privilege Escalation in Cloudflare WARP Installer (Windows)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2023-0652",
"datePublished": "2023-04-06T09:42:33.513Z",
"dateReserved": "2023-02-02T15:10:37.415Z",
"dateUpdated": "2024-08-02T05:17:50.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-0654
Vulnerability from cvelistv5
Published
2023-08-29 15:05
Modified
2024-09-30 17:46
Severity ?
EPSS score ?
Summary
Due to a misconfiguration, the WARP Mobile Client (< 6.29) for Android was susceptible to a tapjacking attack. In the event that an attacker built a malicious application and managed to install it on a victim's device, the attacker would be able to trick the user into believing that the app shown on the screen was the WARP client when in reality it was the attacker's app.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Cloudflare | WARP Client |
Version: 0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:17:50.408Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-5r97-pqv6-xpx7"
},
{
"tags": [
"x_transferred"
],
"url": "https://developers.cloudflare.com/warp-client/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0654",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T17:35:06.811748Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T17:46:56.466Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android"
],
"product": "WARP Client",
"vendor": "Cloudflare",
"versions": [
{
"changes": [
{
"at": "6.29",
"status": "unaffected"
}
],
"lessThan": "6.29",
"status": "affected",
"version": "0",
"versionType": "patch"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDue to a misconfiguration, the WARP Mobile Client (\u0026lt; 6.29) for Android was susceptible to a tapjacking attack. In the event that an attacker built a malicious application and managed to install it on a victim\u0027s device, the attacker would be able to trick the user into believing that the app shown on the screen was the WARP client when in reality it was the attacker\u0027s app.\u003c/p\u003e"
}
],
"value": "Due to a misconfiguration, the WARP Mobile Client (\u003c 6.29) for Android was susceptible to a tapjacking attack. In the event that an attacker built a malicious application and managed to install it on a victim\u0027s device, the attacker would be able to trick the user into believing that the app shown on the screen was the WARP client when in reality it was the attacker\u0027s app.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-506",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-506 Tapjacking"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1021",
"description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-29T15:05:19.623Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-5r97-pqv6-xpx7"
},
{
"url": "https://developers.cloudflare.com/warp-client/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Spoofing User\u0027s Activity Loads in WARP Mobile Client (Android)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2023-0654",
"datePublished": "2023-08-29T15:05:19.623Z",
"dateReserved": "2023-02-02T17:45:39.047Z",
"dateUpdated": "2024-09-30T17:46:56.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-4428
Vulnerability from cvelistv5
Published
2023-01-11 16:49
Modified
2024-08-03 01:41
Severity ?
EPSS score ?
Summary
support_uri parameter in the WARP client local settings file (mdm.xml) lacked proper validation which allowed for privilege escalation and launching an arbitrary executable on the local machine upon clicking on the "Send feedback" option. An attacker with access to the local file system could use a crafted XML config file pointing to a malicious file or set a local path to the executable using Cloudflare Zero Trust Dashboard (for Zero Trust enrolled clients).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Cloudflare | WARP |
Version: 0 ≤ 2022.10.106.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:41:44.657Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-h3j3-fhqg-66rh"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "WARP",
"vendor": "Cloudflare",
"versions": [
{
"lessThanOrEqual": "2022.10.106.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "WARP client enrolled in Cloudflare Zero Trust"
}
],
"value": "WARP client enrolled in Cloudflare Zero Trust"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "CyberGeeGee (bug bounty)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003esupport_uri parameter in the WARP client local settings file (mdm.xml) lacked proper validation which allowed for privilege escalation and launching an arbitrary executable on the local machine upon clicking on the \"Send feedback\" option. An attacker with access to the local file system could use a crafted XML config file pointing to a malicious file or set a local path to the executable using Cloudflare Zero Trust Dashboard (for Zero Trust enrolled clients).\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "support_uri parameter in the WARP client local settings file (mdm.xml) lacked proper validation which allowed for privilege escalation and launching an arbitrary executable on the local machine upon clicking on the \"Send feedback\" option. An attacker with access to the local file system could use a crafted XML config file pointing to a malicious file or set a local path to the executable using Cloudflare Zero Trust Dashboard (for Zero Trust enrolled clients).\n"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
},
{
"capecId": "CAPEC-549",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-549 Local Execution of Code"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-12T11:17:35.572Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-h3j3-fhqg-66rh"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update WARP client for Windows to the latest available version."
}
],
"value": "Update WARP client for Windows to the latest available version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "support_uri validation missing in WARP client for Windows",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2022-4428",
"datePublished": "2023-01-11T16:49:36.512Z",
"dateReserved": "2022-12-12T16:15:55.217Z",
"dateUpdated": "2024-08-03T01:41:44.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2754
Vulnerability from cvelistv5
Published
2023-08-03 13:53
Modified
2024-10-17 14:12
Severity ?
EPSS score ?
Summary
The Cloudflare WARP client for Windows assigns loopback IPv4 addresses for the DNS Servers, since WARP acts as local DNS server that performs DNS queries in a secure manner, however, if a user is connected to WARP over an IPv6-capable network, te WARP client did not assign loopback IPv6 addresses but Unique Local Addresses, which under certain conditions could point towards unknown devices in the same local network which enables an Attacker to view DNS queries made by the device.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Cloudflare | WARP |
Version: 0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:33:05.480Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-mv6g-7577-vq4w"
},
{
"tags": [
"product",
"x_transferred"
],
"url": "https://developers.cloudflare.com/warp-client/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2754",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T14:12:35.312663Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T14:12:44.334Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"Client"
],
"packageName": "WARP Client",
"platforms": [
"Windows"
],
"product": "WARP",
"vendor": "Cloudflare",
"versions": [
{
"changes": [
{
"at": "2023.7.160.0",
"status": "unaffected"
}
],
"lessThan": "2023.7.160.0",
"status": "affected",
"version": "0",
"versionType": "release"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe victim\u0027s device would need to be connected to a rogue Wi-Fi network, that announces support for IPv6, and assigns itself the same IPv6 address that WARP Client sets the IPv6 DNS server as.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "The victim\u0027s device would need to be connected to a rogue Wi-Fi network, that announces support for IPv6, and assigns itself the same IPv6 address that WARP Client sets the IPv6 DNS server as.\n\n"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vanhoefm"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Cloudflare WARP client for Windows assigns loopback IPv4 addresses for the DNS Servers, since WARP acts as local DNS server that performs DNS queries in a secure manner, however, if a user is connected to WARP over an IPv6-capable network, te WARP client did not assign loopback IPv6 addresses but Unique Local Addresses, which under certain conditions could point towards unknown devices in the same local network which enables an Attacker to view DNS queries made by the device.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "The Cloudflare WARP client for Windows assigns loopback IPv4 addresses for the DNS Servers, since WARP acts as local DNS server that performs DNS queries in a secure manner, however, if a user is connected to WARP over an IPv6-capable network, te WARP client did not assign loopback IPv6 addresses but Unique Local Addresses, which under certain conditions could point towards unknown devices in the same local network which enables an Attacker to view DNS queries made by the device.\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-117",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-117 Interception"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-03T13:53:00.634Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-mv6g-7577-vq4w"
},
{
"tags": [
"product"
],
"url": "https://developers.cloudflare.com/warp-client/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Users are encouraged to update to the latest WARP Client (Windows) version available:\u0026nbsp;2023.7.160.0"
}
],
"value": "Users are encouraged to update to the latest WARP Client (Windows) version available:\u00a02023.7.160.0"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Plaintext transmission of DNS requests in Windows 1.1.1.1 WARP client",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDisabling IPv6 support in local devices\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Disabling IPv6 support in local devices\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2023-2754",
"datePublished": "2023-08-03T13:53:00.634Z",
"dateReserved": "2023-05-17T07:55:45.392Z",
"dateUpdated": "2024-10-17T14:12:44.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2225
Vulnerability from cvelistv5
Published
2022-07-26 11:35
Modified
2024-08-03 00:32
Severity ?
EPSS score ?
Summary
By using warp-cli subcommands (disable-ethernet, disable-wifi), it was possible for a user without admin privileges to bypass configured Zero Trust security policies (e.g. Secure Web Gateway policies) and features such as 'Lock WARP switch'.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cloudflare/advisories/security/advisories/GHSA-cg88-vx48-976c | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Cloudflare | WARP |
Version: unspecified < 2022.5.341.0 |
||||||||
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:32:09.058Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-cg88-vx48-976c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Windows"
],
"product": "WARP",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "2022.5.341.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"platforms": [
"Linux"
],
"product": "WARP",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "2022.5.346",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"platforms": [
"MacOS"
],
"product": "WARP",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "2022.5.227.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "WARP client enrolled in the Zero Trust mode."
}
],
"descriptions": [
{
"lang": "en",
"value": "By using warp-cli subcommands (disable-ethernet, disable-wifi), it was possible for a user without admin privileges to bypass configured Zero Trust security policies (e.g. Secure Web Gateway policies) and features such as \u0027Lock WARP switch\u0027."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-26T11:35:10",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-cg88-vx48-976c"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade WARP Client to the non-vulnerable version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Zero Trust Secure Web Gateway policies bypass using WARP client subcommands ",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cloudflare.com",
"ID": "CVE-2022-2225",
"STATE": "PUBLIC",
"TITLE": "Zero Trust Secure Web Gateway policies bypass using WARP client subcommands "
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WARP",
"version": {
"version_data": [
{
"platform": "Windows",
"version_affected": "\u003c",
"version_value": "2022.5.341.0"
}
]
}
},
{
"product_name": "WARP",
"version": {
"version_data": [
{
"platform": "Linux",
"version_affected": "\u003c",
"version_value": "2022.5.346"
}
]
}
},
{
"product_name": "WARP",
"version": {
"version_data": [
{
"platform": "MacOS",
"version_affected": "\u003c",
"version_value": "2022.5.227.0"
}
]
}
}
]
},
"vendor_name": "Cloudflare"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "WARP client enrolled in the Zero Trust mode."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "By using warp-cli subcommands (disable-ethernet, disable-wifi), it was possible for a user without admin privileges to bypass configured Zero Trust security policies (e.g. Secure Web Gateway policies) and features such as \u0027Lock WARP switch\u0027."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/cloudflare/advisories/security/advisories/GHSA-cg88-vx48-976c",
"refsource": "MISC",
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-cg88-vx48-976c"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade WARP Client to the non-vulnerable version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2022-2225",
"datePublished": "2022-07-26T11:35:10",
"dateReserved": "2022-06-27T00:00:00",
"dateUpdated": "2024-08-03T00:32:09.058Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-3321
Vulnerability from cvelistv5
Published
2022-10-28 09:24
Modified
2024-08-03 01:07
Severity ?
EPSS score ?
Summary
It was possible to bypass Lock WARP switch feature https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/#lock-warp-switch on the WARP iOS mobile client by enabling both "Disable for cellular networks" and "Disable for Wi-Fi networks" switches at once in the application settings. Such configuration caused the WARP client to disconnect and allowed the user to bypass restrictions and policies enforced by the Zero Trust platform.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Cloudflare | WARP |
Version: 0 ≤ |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.458Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-4463-5p9m-3c78"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"iOS"
],
"product": "WARP",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "6.14",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Endpoint enrolled on Cloudflare Zero Trust (Cloudflare One)\u003cbr\u003e"
}
],
"value": "Endpoint enrolled on Cloudflare Zero Trust (Cloudflare One)\n"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Josh (joshmotionfans)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "It was possible to bypass \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/#lock-warp-switch\"\u003eLock WARP switch feature\u003c/a\u003e\u0026nbsp;on the WARP iOS mobile client by enabling both \"Disable for cellular networks\" and \"Disable for Wi-Fi networks\" switches at once in the application settings. Such configuration caused the WARP client to disconnect and allowed the user to bypass restrictions and policies enforced by the Zero Trust platform."
}
],
"value": "It was possible to bypass Lock WARP switch feature https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/#lock-warp-switch \u00a0on the WARP iOS mobile client by enabling both \"Disable for cellular networks\" and \"Disable for Wi-Fi networks\" switches at once in the application settings. Such configuration caused the WARP client to disconnect and allowed the user to bypass restrictions and policies enforced by the Zero Trust platform."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
},
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-28T09:24:40.799Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-4463-5p9m-3c78"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to specified patched versions.\u003cbr\u003e"
}
],
"value": "Upgrade to specified patched versions.\n"
}
],
"source": {
"advisory": "GHSA-4463-5p9m-3c78",
"discovery": "EXTERNAL"
},
"title": "Lock WARP switch feature bypass on WARP mobile client for iOS",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2022-3321",
"datePublished": "2022-10-28T09:24:40.799Z",
"dateReserved": "2022-09-26T16:41:00.464Z",
"dateUpdated": "2024-08-03T01:07:06.458Z",
"requesterUserId": "25b7b156-39bf-4f6b-8c25-8bc69c5c5e82",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-0238
Vulnerability from cvelistv5
Published
2023-08-29 14:56
Modified
2024-09-30 17:47
Severity ?
EPSS score ?
Summary
Due to lack of a security policy, the WARP Mobile Client (<=6.29) for Android was susceptible to this vulnerability which allowed a malicious app installed on a victim's device to exploit a peculiarity in an Android function, wherein under certain conditions, the malicious app could dictate the task behaviour of the WARP app.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Cloudflare | WARP Client |
Version: 0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:02:44.005Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-23rx-f69w-g75c"
},
{
"tags": [
"x_transferred"
],
"url": "https://developers.cloudflare.com/warp-client/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0238",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T17:35:13.806344Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T17:47:12.727Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android"
],
"product": "WARP Client",
"vendor": "Cloudflare",
"versions": [
{
"changes": [
{
"at": "6.29",
"status": "unaffected"
}
],
"lessThan": "6.29",
"status": "affected",
"version": "0",
"versionType": "patch"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Due to lack of a security policy, the WARP Mobile Client (\u0026lt;=6.29) for Android was susceptible to this vulnerability which allowed a malicious app installed on a victim\u0027s device to exploit a peculiarity in an Android function, wherein under certain conditions, the malicious app could dictate the task behaviour of the WARP app."
}
],
"value": "Due to lack of a security policy, the WARP Mobile Client (\u003c=6.29) for Android was susceptible to this vulnerability which allowed a malicious app installed on a victim\u0027s device to exploit a peculiarity in an Android function, wherein under certain conditions, the malicious app could dictate the task behaviour of the WARP app."
}
],
"impacts": [
{
"capecId": "CAPEC-117",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-117 Interception"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-29T14:56:50.791Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-23rx-f69w-g75c"
},
{
"url": "https://developers.cloudflare.com/warp-client/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Injecting Activity Loads in WARP Mobile Client",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2023-0238",
"datePublished": "2023-08-29T14:56:50.791Z",
"dateReserved": "2023-01-12T11:58:45.802Z",
"dateUpdated": "2024-09-30T17:47:12.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2145
Vulnerability from cvelistv5
Published
2022-06-28 17:45
Modified
2024-08-03 00:24
Severity ?
EPSS score ?
Summary
Cloudflare WARP client for Windows (up to v. 2022.5.309.0) allowed creation of mount points from its ProgramData folder. During installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cloudflare/advisories/security/advisories/GHSA-6fpc-qxmr-6wrq | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Cloudflare | WARP |
Version: unspecified < 2022.5.309.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:44.183Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-6fpc-qxmr-6wrq"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Windows"
],
"product": "WARP",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "2022.5.309.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Patrick Murphy (@hackandpwn)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Cloudflare WARP client for Windows (up to v. 2022.5.309.0) allowed creation of mount points from its ProgramData folder. During installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-28T17:45:20",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-6fpc-qxmr-6wrq"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade WARP client for Windows to the newest version (at least 2022.5.309.0.)"
}
],
"source": {
"advisory": "GHSA-6fpc-qxmr-6wrq",
"discovery": "EXTERNAL"
},
"title": "Cloudlfare WARP Arbitrary File Overwrite ",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cloudflare.com",
"ID": "CVE-2022-2145",
"STATE": "PUBLIC",
"TITLE": "Cloudlfare WARP Arbitrary File Overwrite "
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WARP",
"version": {
"version_data": [
{
"platform": "Windows",
"version_affected": "\u003c",
"version_value": "2022.5.309.0"
}
]
}
}
]
},
"vendor_name": "Cloudflare"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Patrick Murphy (@hackandpwn)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cloudflare WARP client for Windows (up to v. 2022.5.309.0) allowed creation of mount points from its ProgramData folder. During installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/cloudflare/advisories/security/advisories/GHSA-6fpc-qxmr-6wrq",
"refsource": "MISC",
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-6fpc-qxmr-6wrq"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade WARP client for Windows to the newest version (at least 2022.5.309.0.)"
}
],
"source": {
"advisory": "GHSA-6fpc-qxmr-6wrq",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2022-2145",
"datePublished": "2022-06-28T17:45:20",
"dateReserved": "2022-06-21T00:00:00",
"dateUpdated": "2024-08-03T00:24:44.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-3322
Vulnerability from cvelistv5
Published
2022-10-28 09:25
Modified
2024-08-03 01:07
Severity ?
EPSS score ?
Summary
Lock Warp switch is a feature of Zero Trust platform which, when
enabled, prevents users of enrolled devices from disabling WARP client.
Due to insufficient policy verification by WARP iOS client, this
feature could be bypassed by using the "Disable WARP" quick action.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Cloudflare | WARP |
Version: 0 ≤ |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.465Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-76pg-rp9h-wmcj"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"iOS"
],
"product": "WARP",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "6.14",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Endpoint enrolled on Cloudflare Zero Trust (Cloudflare One)\u003cbr\u003e"
}
],
"value": "Endpoint enrolled on Cloudflare Zero Trust (Cloudflare One)\n"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Josh (joshmotionfans)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cp\u003eLock Warp switch is a feature of Zero Trust platform which, when\n enabled, prevents users of enrolled devices from disabling WARP client.\n Due to insufficient policy verification by WARP iOS client, this \nfeature could be bypassed by using the \"Disable WARP\" quick action.\u003c/p\u003e\u003c/div\u003e"
}
],
"value": "Lock Warp switch is a feature of Zero Trust platform which, when\n enabled, prevents users of enrolled devices from disabling WARP client.\n Due to insufficient policy verification by WARP iOS client, this \nfeature could be bypassed by using the \"Disable WARP\" quick action.\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
},
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-28T09:25:55.997Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-76pg-rp9h-wmcj"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to the specified patched version.\u003cbr\u003e"
}
],
"value": "Upgrade to the specified patched version.\n"
}
],
"source": {
"advisory": "GHSA-76pg-rp9h-wmcj",
"discovery": "EXTERNAL"
},
"title": "Lock WARP switch bypass on WARP mobile client using iOS quick action",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2022-3322",
"datePublished": "2022-10-28T09:25:55.997Z",
"dateReserved": "2022-09-26T16:41:02.276Z",
"dateUpdated": "2024-08-03T01:07:06.465Z",
"requesterUserId": "25b7b156-39bf-4f6b-8c25-8bc69c5c5e82",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-3512
Vulnerability from cvelistv5
Published
2022-10-28 09:22
Modified
2024-08-03 01:14
Severity ?
EPSS score ?
Summary
Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" feature resulting in Zero Trust policies not being enforced on an affected endpoint.
References
Impacted products
| Vendor | Product | Version | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Cloudflare | WARP |
Version: 0 ≤ |
||||||||
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:14:02.071Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-3868-hwjx-r5xf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "WARP",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "2022.8.857",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "WARP",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "2022.8.936",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"MacOS"
],
"product": "WARP",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "2022.8.861",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Endpoint enrolled on Cloudflare Zero Trust (Cloudflare One)\u003cbr\u003e"
}
],
"value": "Endpoint enrolled on Cloudflare Zero Trust (Cloudflare One)\n"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Josh (joshmotionfans)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUsing warp-cli command \"add-trusted-ssid\", a user was able to disconnect WARP client and bypass the \"Lock WARP switch\" feature resulting in Zero Trust policies not being enforced on an affected endpoint.\u003c/p\u003e"
}
],
"value": "Using warp-cli command \"add-trusted-ssid\", a user was able to disconnect WARP client and bypass the \"Lock WARP switch\" feature resulting in Zero Trust policies not being enforced on an affected endpoint.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
},
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-28T10:01:33.296Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-3868-hwjx-r5xf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to specified patched versions.\u003cbr\u003e"
}
],
"value": "Upgrade to specified patched versions.\n"
}
],
"source": {
"advisory": "GHSA-3868-hwjx-r5xf",
"discovery": "EXTERNAL"
},
"title": "Lock WARP switch bypass using warp-cli \u0027add-trusted-ssid\u0027 command",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2022-3512",
"datePublished": "2022-10-28T09:22:08.121Z",
"dateReserved": "2022-10-14T15:10:32.501Z",
"dateUpdated": "2024-08-03T01:14:02.071Z",
"requesterUserId": "25b7b156-39bf-4f6b-8c25-8bc69c5c5e82",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-35152
Vulnerability from cvelistv5
Published
2021-02-02 23:35
Modified
2024-09-16 22:25
Severity ?
EPSS score ?
Summary
Cloudflare WARP for Windows allows privilege escalation due to an unquoted service path. A malicious user or process running with non-administrative privileges can become an administrator by abusing the unquoted service path issue. Since version 1.2.2695.1, the vulnerability was fixed by adding quotes around the service's binary path. This issue affects Cloudflare WARP for Windows, versions prior to 1.2.2695.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cloudflare/advisories/security/advisories/GHSA-qc57-v5q8-f22h | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Cloudflare | Cloudflare WARP for Windows |
Version: unspecified < 1.2.2695.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:55:10.646Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-qc57-v5q8-f22h"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Cloudflare WARP for Windows",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "1.2.2695.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "James Tan"
}
],
"datePublic": "2020-12-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cloudflare WARP for Windows allows privilege escalation due to an unquoted service path. A malicious user or process running with non-administrative privileges can become an administrator by abusing the unquoted service path issue. Since version 1.2.2695.1, the vulnerability was fixed by adding quotes around the service\u0027s binary path. This issue affects Cloudflare WARP for Windows, versions prior to 1.2.2695.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-428",
"description": "CWE-428",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-02T23:35:31",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-qc57-v5q8-f22h"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Privilege escalation through unquoted service binary path on Cloudflare WARP for Windows",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cloudflare.com",
"DATE_PUBLIC": "2020-12-11T20:09:00.000Z",
"ID": "CVE-2020-35152",
"STATE": "PUBLIC",
"TITLE": "Privilege escalation through unquoted service binary path on Cloudflare WARP for Windows"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Cloudflare WARP for Windows",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.2.2695.1"
}
]
}
}
]
},
"vendor_name": "Cloudflare"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "James Tan"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cloudflare WARP for Windows allows privilege escalation due to an unquoted service path. A malicious user or process running with non-administrative privileges can become an administrator by abusing the unquoted service path issue. Since version 1.2.2695.1, the vulnerability was fixed by adding quotes around the service\u0027s binary path. This issue affects Cloudflare WARP for Windows, versions prior to 1.2.2695.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-428"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-qc57-v5q8-f22h"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2020-35152",
"datePublished": "2021-02-02T23:35:31.270649Z",
"dateReserved": "2020-12-11T00:00:00",
"dateUpdated": "2024-09-16T22:25:07.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-1862
Vulnerability from cvelistv5
Published
2023-06-20 08:28
Modified
2024-12-09 18:31
Severity ?
EPSS score ?
Summary
Cloudflare WARP client for Windows (up to v2023.3.381.0) allowed a malicious actor to remotely access the warp-svc.exe binary due to an insufficient access control policy on an IPC Named Pipe. This would have enabled an attacker to trigger WARP connect and disconnect commands, as well as obtaining network diagnostics and application configuration from the target's device. It is important to note that in order to exploit this, a set of requirements would need to be met, such as the target's device must've been reachable on port 445, allowed authentication with NULL sessions or otherwise having knowledge of the target's credentials.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Cloudflare | WARP Client |
Version: 0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:05:26.782Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://developers.cloudflare.com/warp-client/get-started/windows/"
},
{
"tags": [
"x_transferred"
],
"url": "https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-q55r-53c8-5642"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1862",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T18:30:47.223049Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T18:31:09.155Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "WARP",
"platforms": [
"Windows"
],
"product": "WARP Client",
"vendor": "Cloudflare",
"versions": [
{
"changes": [
{
"at": "2023.3.381.0",
"status": "unaffected"
}
],
"lessThan": "2023.3.381.0",
"status": "affected",
"version": "0",
"versionType": "patch"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCloudflare WARP client for Windows (up to v2023.3.381.0) allowed a malicious actor to remotely access the \u003cstrong\u003ewarp-svc.exe\u003c/strong\u003e\u0026nbsp;binary due to an insufficient access control policy on an IPC Named Pipe. This would have enabled an attacker to trigger WARP connect and disconnect commands, as well as obtaining network diagnostics and application configuration from the target\u0027s device. It is important to note that in order to exploit this, a set of requirements would need to be met, such as the target\u0027s device must\u0027ve been reachable on port 445, allowed authentication with NULL sessions or otherwise having knowledge of the target\u0027s credentials.\u003c/p\u003e"
}
],
"value": "Cloudflare WARP client for Windows (up to v2023.3.381.0) allowed a malicious actor to remotely access the warp-svc.exe\u00a0binary due to an insufficient access control policy on an IPC Named Pipe. This would have enabled an attacker to trigger WARP connect and disconnect commands, as well as obtaining network diagnostics and application configuration from the target\u0027s device. It is important to note that in order to exploit this, a set of requirements would need to be met, such as the target\u0027s device must\u0027ve been reachable on port 445, allowed authentication with NULL sessions or otherwise having knowledge of the target\u0027s credentials.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-54",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-54 Query System for Information"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-20T08:28:12.578Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://developers.cloudflare.com/warp-client/get-started/windows/"
},
{
"url": "https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release"
},
{
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-q55r-53c8-5642"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Remote access to warp-svc.exe in Cloudflare WARP",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2023-1862",
"datePublished": "2023-06-20T08:28:12.578Z",
"dateReserved": "2023-04-05T08:09:47.664Z",
"dateUpdated": "2024-12-09T18:31:09.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-4457
Vulnerability from cvelistv5
Published
2023-01-11 16:32
Modified
2024-08-03 01:41
Severity ?
EPSS score ?
Summary
Due to a misconfiguration in the manifest file of the WARP client for Android, it was possible to a perform a task hijacking attack. An attacker could create a malicious mobile application which could hijack legitimate app and steal potentially sensitive information when installed on the victim's device.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Cloudflare | WARP |
Version: 0 ≤ |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:41:44.612Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-35f7-fqrc-4hhj"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android"
],
"product": "WARP",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "\u003c6.20",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Sheikh Rishad"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDue to a misconfiguration in the manifest file of the WARP client for Android, it was possible to a perform a task hijacking attack. An attacker could create a malicious mobile application which could hijack legitimate app and steal potentially sensitive information when installed on the victim\u0027s device.\u003c/p\u003e"
}
],
"value": "Due to a misconfiguration in the manifest file of the WARP client for Android, it was possible to a perform a task hijacking attack. An attacker could create a malicious mobile application which could hijack legitimate app and steal potentially sensitive information when installed on the victim\u0027s device.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-504",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-504 Task Impersonation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-11T16:33:18.738Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-35f7-fqrc-4hhj"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpgrade WARP client for Android to the latest version (\u0026gt;=6.20)\u003c/p\u003e"
}
],
"value": "Upgrade WARP client for Android to the latest version (\u003e=6.20)\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WARP client manifest misconfiguration leading to Task Hijacking",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2022-4457",
"datePublished": "2023-01-11T16:32:28.382Z",
"dateReserved": "2022-12-13T18:49:13.020Z",
"dateUpdated": "2024-08-03T01:41:44.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2147
Vulnerability from cvelistv5
Published
2022-06-23 21:00
Modified
2024-08-03 00:24
Severity ?
EPSS score ?
Summary
Cloudflare Warp for Windows from version 2022.2.95.0 contained an unquoted service path which enables arbitrary code execution leading to privilege escalation. The fix was released in version 2022.3.186.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cloudflare/advisories/security/advisories/GHSA-m6w8-3pf9-p68r | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Cloudflare | WARP |
Version: 2022.2.95.0 < unspecified Version: unspecified < 2022.3.186.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:44.346Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-m6w8-3pf9-p68r"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Windows"
],
"product": "WARP",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.95.0",
"versionType": "custom"
},
{
"lessThan": "2022.3.186.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jonathan Gregson"
}
],
"descriptions": [
{
"lang": "en",
"value": "Cloudflare Warp for Windows from version 2022.2.95.0 contained an unquoted service path which enables arbitrary code execution leading to privilege escalation. The fix was released in version 2022.3.186.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-428",
"description": "CWE-428 Unquoted Search Path or Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-23T21:00:16",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-m6w8-3pf9-p68r"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade WARP to the newest version (at least 2022.3.186.0) "
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unquoted Service Path in Cloudflare WARP for Windows",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cloudflare.com",
"ID": "CVE-2022-2147",
"STATE": "PUBLIC",
"TITLE": "Unquoted Service Path in Cloudflare WARP for Windows"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WARP",
"version": {
"version_data": [
{
"platform": "Windows",
"version_affected": "\u003e=",
"version_value": "2022.2.95.0"
},
{
"platform": "Windows",
"version_affected": "\u003c",
"version_value": "2022.3.186.0"
}
]
}
}
]
},
"vendor_name": "Cloudflare"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Jonathan Gregson"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cloudflare Warp for Windows from version 2022.2.95.0 contained an unquoted service path which enables arbitrary code execution leading to privilege escalation. The fix was released in version 2022.3.186.0."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-428 Unquoted Search Path or Element"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/cloudflare/advisories/security/advisories/GHSA-m6w8-3pf9-p68r",
"refsource": "MISC",
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-m6w8-3pf9-p68r"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade WARP to the newest version (at least 2022.3.186.0) "
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2022-2147",
"datePublished": "2022-06-23T21:00:16",
"dateReserved": "2022-06-21T00:00:00",
"dateUpdated": "2024-08-03T00:24:44.346Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-3337
Vulnerability from cvelistv5
Published
2022-10-28 09:25
Modified
2024-08-03 01:07
Severity ?
EPSS score ?
Summary
It was possible for a user to delete a VPN profile from WARP mobile client on iOS platform despite the Lock WARP switch https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/#lock-warp-switch feature
being enabled on Zero Trust Platform. This led to bypassing policies
and restrictions enforced for enrolled devices by the Zero Trust
platform.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Cloudflare | WARP |
Version: 0 ≤ |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.580Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-vr93-4vx7-332p"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"iOS"
],
"product": "WARP",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "6.15",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Endpoint enrolled on Cloudflare Zero Trust (Cloudflare One)\u003cbr\u003e"
}
],
"value": "Endpoint enrolled on Cloudflare Zero Trust (Cloudflare One)\n"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Josh (joshmotionfans)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cp\u003eIt was possible for a user to delete a VPN profile from WARP mobile client on iOS platform despite the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/#lock-warp-switch\"\u003eLock WARP switch\u003c/a\u003e\u0026nbsp;feature\n being enabled on Zero Trust Platform. This led to bypassing policies \nand restrictions enforced for enrolled devices by the Zero Trust \nplatform.\u003c/p\u003e\u003c/div\u003e"
}
],
"value": "It was possible for a user to delete a VPN profile from WARP mobile client on iOS platform despite the Lock WARP switch https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/#lock-warp-switch \u00a0feature\n being enabled on Zero Trust Platform. This led to bypassing policies \nand restrictions enforced for enrolled devices by the Zero Trust \nplatform.\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
},
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-28T09:25:31.596Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-vr93-4vx7-332p"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to specified patched version.\u003cbr\u003e"
}
],
"value": "Upgrade to specified patched version.\n"
}
],
"source": {
"advisory": "GHSA-vr93-4vx7-332p",
"discovery": "EXTERNAL"
},
"title": "Lock WARP switch bypass by removing VPN profile on iOS mobile client",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2022-3337",
"datePublished": "2022-10-28T09:25:31.596Z",
"dateReserved": "2022-09-27T10:25:13.653Z",
"dateUpdated": "2024-08-03T01:07:06.580Z",
"requesterUserId": "25b7b156-39bf-4f6b-8c25-8bc69c5c5e82",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-1412
Vulnerability from cvelistv5
Published
2023-04-05 15:22
Modified
2024-08-02 05:49
Severity ?
EPSS score ?
Summary
An unprivileged (non-admin) user can exploit an Improper Access Control vulnerability in the Cloudflare WARP Client for Windows (<= 2022.12.582.0) to perform privileged operations with SYSTEM context by working with a combination of opportunistic locks (oplock) and symbolic links (which can both be created by an unprivileged user).
After installing the Cloudflare WARP Client (admin privileges required), an MSI-Installer is placed under C:\Windows\Installer. The vulnerability lies in the repair function of this MSI.
ImpactAn unprivileged (non-admin) user can exploit this vulnerability to perform privileged operations with SYSTEM context, including deleting arbitrary files and reading arbitrary file content. This can lead to a variety of attacks, including the manipulation of system files and privilege escalation.
PatchesA new installer with a fix that addresses this vulnerability was released in version 2023.3.381.0. While the WARP Client itself is not vulnerable (only the installer), users are encouraged to upgrade to the latest version and delete any older installers present in their systems.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Cloudflare | WARP |
Version: 0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:49:11.409Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-hgxh-48m3-3gq7"
},
{
"tags": [
"x_transferred"
],
"url": "https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release"
},
{
"tags": [
"x_transferred"
],
"url": "https://developers.cloudflare.com/warp-client/get-started/windows/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "WARP Installer",
"platforms": [
"Windows"
],
"product": "WARP",
"vendor": "Cloudflare",
"versions": [
{
"changes": [
{
"at": "2023.3.381.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "2022.5.309.0",
"status": "affected",
"version": "0",
"versionType": "N/A"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn unprivileged (non-admin) user can exploit an Improper Access Control vulnerability in the Cloudflare WARP Client for Windows (\u0026lt;= 2022.12.582.0) to perform privileged operations with SYSTEM context by working with a combination of opportunistic locks (oplock) and symbolic links (which can both be created by an unprivileged user).\u003c/p\u003e\u003cdiv\u003e\u003cp\u003eAfter installing the Cloudflare WARP Client (admin privileges required), an MSI-Installer is placed under C:\\Windows\\Installer. The vulnerability lies in the repair function of this MSI.\u003c/p\u003e\u003ch3\u003eImpact\u003c/h3\u003e\u003cp\u003eAn unprivileged (non-admin) user can exploit this vulnerability to perform privileged operations with SYSTEM context, including deleting arbitrary files and reading arbitrary file content. This can lead to a variety of attacks, including the manipulation of system files and privilege escalation.\u003c/p\u003e\u003ch3\u003ePatches\u003c/h3\u003e\u003cp\u003eA new installer with a fix that addresses this vulnerability was released in version \u003cstrong\u003e2023.3.381.0\u003c/strong\u003e. While the WARP Client itself is not vulnerable (only the installer), users are encouraged to upgrade to the latest version and delete any older installers present in their systems.\u003c/p\u003e\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "An unprivileged (non-admin) user can exploit an Improper Access Control vulnerability in the Cloudflare WARP Client for Windows (\u003c= 2022.12.582.0) to perform privileged operations with SYSTEM context by working with a combination of opportunistic locks (oplock) and symbolic links (which can both be created by an unprivileged user).\n\nAfter installing the Cloudflare WARP Client (admin privileges required), an MSI-Installer is placed under C:\\Windows\\Installer. The vulnerability lies in the repair function of this MSI.\n\nImpactAn unprivileged (non-admin) user can exploit this vulnerability to perform privileged operations with SYSTEM context, including deleting arbitrary files and reading arbitrary file content. This can lead to a variety of attacks, including the manipulation of system files and privilege escalation.\n\nPatchesA new installer with a fix that addresses this vulnerability was released in version 2023.3.381.0. While the WARP Client itself is not vulnerable (only the installer), users are encouraged to upgrade to the latest version and delete any older installers present in their systems.\n\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-05T15:22:56.317Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-hgxh-48m3-3gq7"
},
{
"url": "https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release"
},
{
"url": "https://developers.cloudflare.com/warp-client/get-started/windows/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Local Privilege Escalation Vulnerability in WARP\u0027s MSI Installer",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2023-1412",
"datePublished": "2023-04-05T15:22:56.317Z",
"dateReserved": "2023-03-15T13:33:23.768Z",
"dateUpdated": "2024-08-02T05:49:11.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-3320
Vulnerability from cvelistv5
Published
2022-10-28 09:30
Modified
2024-08-03 01:07
Severity ?
EPSS score ?
Summary
It was possible to bypass policies configured for Zero Trust Secure Web Gateway by using warp-cli 'set-custom-endpoint' subcommand. Using this command with an unreachable endpoint caused the WARP Client to disconnect and allowed bypassing administrative restrictions on a Zero Trust enrolled endpoint.
References
Impacted products
| Vendor | Product | Version | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Cloudflare | WARP |
Version: 0 ≤ |
||||||||
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.479Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-3868-hwjx-r5xf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "WARP",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "2022.8.857.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "WARP",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "2022.8.936",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"MacOS"
],
"product": "WARP",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "2022.8.861.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Endpoint enrolled on Cloudflare Zero Trust (Cloudflare One)\u003cbr\u003e"
}
],
"value": "Endpoint enrolled on Cloudflare Zero Trust (Cloudflare One)\n"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "suzuka (HackerOne researcher)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cdiv\u003e\u003cp\u003eIt was possible to bypass policies configured for Zero Trust Secure Web Gateway by using warp-cli \u0027set-custom-endpoint\u0027 subcommand. Using this command with an unreachable endpoint caused the WARP Client to disconnect and allowed bypassing administrative restrictions on a Zero Trust enrolled endpoint. \u003c/p\u003e\u003c/div\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "It was possible to bypass policies configured for Zero Trust Secure Web Gateway by using warp-cli \u0027set-custom-endpoint\u0027 subcommand. Using this command with an unreachable endpoint caused the WARP Client to disconnect and allowed bypassing administrative restrictions on a Zero Trust enrolled endpoint. \n\n\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
},
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-28T10:02:20.129Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-3868-hwjx-r5xf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to specified patched versions.\u003cbr\u003e"
}
],
"value": "Upgrade to specified patched versions.\n"
}
],
"source": {
"advisory": "GHSA-3868-hwjx-r5xf",
"discovery": "EXTERNAL"
},
"title": "Bypassing Cloudflare Zero Trust policies using warp-cli set-custom-endpoint command",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2022-3320",
"datePublished": "2022-10-28T09:30:17.600Z",
"dateReserved": "2022-09-26T16:40:57.968Z",
"dateUpdated": "2024-08-03T01:07:06.479Z",
"requesterUserId": "25b7b156-39bf-4f6b-8c25-8bc69c5c5e82",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}