Parallels Access 6.5.4 Desktop Control Agent service uncontrolled search path

A vulnerability classified as critical has been found in Parallels Access 6.5.4. This affects an unknown function of the component Desktop Control Agent service. There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Field07/19/2022 11:38 AM08/06/2022 02:26 PM
vendorParallelsParallels
nameAccessAccess
version6.5.46.5.4
componentDesktop Control Agent serviceDesktop Control Agent service
cwe427 (uncontrolled search path)427 (uncontrolled search path)
risk22
cvss3_vuldb_avNN
cvss3_vuldb_acLL
cvss3_vuldb_prLL
cvss3_vuldb_uiNN
cvss3_vuldb_sUU
cvss3_vuldb_cHH
cvss3_vuldb_iHH
cvss3_vuldb_aHH
cvss3_vuldb_rcCC
cvss3_cna_avLL
cvss3_cna_acLL
cvss3_cna_prLL
cvss3_cna_uiNN
cvss3_cna_sUU
cvss3_cna_cHH
cvss3_cna_iHH
cvss3_cna_aHH
urlhttps://www.zerodayinitiative.com/advisories/ZDI-22-946/https://www.zerodayinitiative.com/advisories/ZDI-22-946/
confirm_urlhttps://kb.parallels.com/en/129010https://kb.parallels.com/en/129010
cveCVE-2022-34902CVE-2022-34902
cve_assigned1656626400 (07/01/2022)1656626400 (07/01/2022)
cve_cnaZero Day InitiativeZero Day Initiative
cve_nvd_summaryThis vulnerability allows local attackers to escalate privileges on affected installations of Parallels Access 6.5.4 (39316) Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Desktop Control Agent service. The service loads Qt plugins from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-15787.This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Access 6.5.4 (39316) Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Desktop Control Agent service. The service loads Qt plugins from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-15787.
date1658181600 (07/19/2022)1658181600 (07/19/2022)
cvss2_vuldb_avNN
cvss2_vuldb_acLL
cvss2_vuldb_ciCC
cvss2_vuldb_iiCC
cvss2_vuldb_aiCC
cvss2_vuldb_rcCC
cvss2_vuldb_auSS
cvss2_vuldb_eNDND
cvss2_vuldb_rlNDND
cvss3_vuldb_eXX
cvss3_vuldb_rlXX
cvss3_cna_basescore7.87.8
cvss2_vuldb_basescore9.09.0
cvss2_vuldb_tempscore9.09.0
cvss3_vuldb_basescore8.88.8
cvss3_vuldb_tempscore8.88.8
cvss3_meta_basescore8.38.1
cvss3_meta_tempscore8.38.1
price_0day$0-$5k$0-$5k
cvss3_nvd_avL
cvss3_nvd_acL
cvss3_nvd_prL
cvss3_nvd_uiN
cvss3_nvd_sU
cvss3_nvd_cH
cvss3_nvd_iH
cvss3_nvd_aH
cvss3_nvd_basescore7.8

Want to stay up to date on a daily basis?

Enable the mail alert feature now!