CVE-2020-26941
CVSS V2 Low 3.6
CVSS V3 Medium 5.5
Description
A local (authenticated) low-privileged user can exploit a behavior in an ESET installer to achieve arbitrary file overwrite (deletion) of any file via a symlink, due to insecure permissions. The possibility of exploiting this vulnerability is limited and can only take place during the installation phase of ESET products. Furthermore, exploitation can only succeed when Self-Defense is disabled. Affected products are: ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security, ESET Smart Security Premium versions 13.2 and lower; ESET Endpoint Antivirus, ESET Endpoint Security, ESET NOD32 Antivirus Business Edition, ESET Smart Security Business Edition versions 7.3 and lower; ESET File Security for Microsoft Windows Server, ESET Mail Security for Microsoft Exchange Server, ESET Mail Security for IBM Domino, ESET Security for Kerio, ESET Security for Microsoft SharePoint Server versions 7.2 and lower.
Overview
- CVE ID
- CVE-2020-26941
- Assigner
- cve@mitre.org
- Vulnerability Status
- Analyzed
- Published Version
- 2021-01-26T18:15:45
- Last Modified Date
- 2021-02-02T18:34:14
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:eset:endpoint_antivirus:*:*:*:*:*:-:*:* | 1 | OR | 7.3 | |
| cpe:2.3:a:eset:endpoint_security:*:*:*:*:*:*:*:* | 1 | OR | 7.3 | |
| cpe:2.3:a:eset:file_security:*:*:*:*:*:windows_server:*:* | 1 | OR | 7.2 | |
| cpe:2.3:a:eset:internet_security:*:*:*:*:*:*:*:* | 1 | OR | 13.2 | |
| cpe:2.3:a:eset:internet_security:1294:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:eset:mail_security:*:*:*:*:*:domino:*:* | 1 | OR | 7.2 | |
| cpe:2.3:a:eset:mail_security:*:*:*:*:*:exchange_server:*:* | 1 | OR | 7.2 | |
| cpe:2.3:a:eset:nod32_antivirus:*:*:*:*:business:*:*:* | 1 | OR | 7.3 | |
| cpe:2.3:a:eset:nod32_antivirus:*:*:*:*:*:-:*:* | 1 | OR | 13.2 | |
| cpe:2.3:a:eset:security:*:*:*:*:*:kerio:*:* | 1 | OR | 7.2 | |
| cpe:2.3:a:eset:security:*:*:*:*:*:sharepoint_server:*:* | 1 | OR | 7.2 | |
| cpe:2.3:a:eset:smart_security:*:*:*:*:business:*:*:* | 1 | OR | 7.3 | |
| cpe:2.3:a:eset:smart_security:*:*:*:*:-:*:*:* | 1 | OR | 13.2 | |
| cpe:2.3:a:eset:smart_security:*:*:*:*:premium:*:*:* | 1 | OR | 13.2 |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:L/AC:L/Au:N/C:N/I:P/A:P
- Access Vector
- LOCAL
- Access Compatibility
- LOW
- Authentication
- NONE
- Confidentiality Impact
- NONE
- Integrity Impact
- PARTIAL
- Availability Impact
- PARTIAL
- Base Score
- 3.6
- Severity
- LOW
- Exploitability Score
- 3.9
- Impact Score
- 4.9
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
- Attack Vector
- LOCAL
- Attack Compatibility
- LOW
- Privileges Required
- LOW
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- NONE
- Availability Impact
- NONE
- Base Score
- 5.5
- Base Severity
- MEDIUM
- Exploitability Score
- 1.8
- Impact Score
- 3.6
References
| Reference URL | Reference Tags |
|---|---|
| https://support.eset.com/en/ca7794-local-privilege-escalation-vulnerability-fixed-in-eset-products-for-windows | Vendor Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2020-26941 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26941 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 07:24:58 | Added to TrackCVE | |||
| 2022-12-05 20:48:33 | 2021-01-26T18:15Z | 2021-01-26T18:15:45 | CVE Published Date | updated |
| 2022-12-05 20:48:33 | 2021-02-02T18:34:14 | CVE Modified Date | updated | |
| 2022-12-05 20:48:33 | Analyzed | Vulnerability Status | updated |