getcursor up to 0.40.x Environment Variable DYLD_INSERT_LIBRARIES insecure inherited permissions

Summaryinfo

A vulnerability described as problematic has been identified in getcursor cursor up to 0.40.x. This vulnerability affects unknown code of the component Environment Variable Handler. Such manipulation of the argument DYLD_INSERT_LIBRARIES leads to insecure inherited permissions. This vulnerability is uniquely identified as CVE-2024-45599. Local access is required to approach this attack. No exploit exists. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability was found in getcursor cursor up to 0.40.x and classified as problematic. Affected by this issue is an unknown code block of the component Environment Variable Handler. The manipulation of the argument DYLD_INSERT_LIBRARIES with an unknown input leads to a insecure inherited permissions vulnerability. Using CWE to declare the problem leads to CWE-277. A product defines a set of insecure permissions that are inherited by objects that are created by the program. Impacted is confidentiality. CVE summarizes:

Cursor is an artificial intelligence code editor. Prior to version 0.41.0, if a user on macOS has granted Cursor access to the camera or microphone, any program that is run on the machine is able to access the camera or the microphone without explicitly being granted access, through a DyLib Injection using DYLD_INSERT_LIBRARIES environment variable. The usage of `com.apple.security.cs.allow-dyld-environment-variables` and `com.apple.security.cs.disable-library-validation` allows an external dynamic library to be injected into the application using DYLD_INSERT_LIBRARIES environment variable. Moreover, the entitlement `com.apple.security.device.camera` allows the application to use the host camera and `com.apple.security.device.audio-input` allows the application to use the microphone. This means that untrusted code that is executed on the user's machine can access the camera or the microphone, if the user has already given permission for Cursor to do so. In version 0.41.0, the entitlements have been split by process: the main process gets the camera and microphone entitlements, but not the DyLib entitlements, whereas the extension host process gets the DyLib entitlements but not the camera or microphone entitlements. As a workaround, do not explicitly give Cursor the permission to access the camera or microphone if untrusted users can run arbitrary commands on the affected machine.

The advisory is available at github.com. This vulnerability is handled as CVE-2024-45599 since 09/02/2024. The exploitation is known to be easy. Local access is required to approach this attack. Technical details are known, but there is no available exploit. This vulnerability is assigned to T1222 by the MITRE ATT&CK project.

Upgrading to version 0.41.0 eliminates this vulnerability.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Vendor

• getcursor

Name

• cursor

Version

• 0.1
• 0.2
• 0.3
• 0.4
• 0.5
• 0.6
• 0.7
• 0.8
• 0.9
• 0.10
• 0.11
• 0.12
• 0.13
• 0.14
• 0.15
• 0.16
• 0.17
• 0.18
• 0.19
• 0.20
• 0.21
• 0.22
• 0.23
• 0.24
• 0.25
• 0.26
• 0.27
• 0.28
• 0.29
• 0.30
• 0.31
• 0.32
• 0.33
• 0.34
• 0.35
• 0.36
• 0.37
• 0.38
• 0.39
• 0.40

Website

• Product: https://github.com/getcursor/cursor/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion