We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-49360

Path traversal in Sandboxie



Description

Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. An authenticated user (**UserA**) with no privileges is authorized to read all files created in sandbox belonging to other users in the sandbox folders `C:\Sandbox\UserB\xxx`. An authenticated attacker who can use `explorer.exe` or `cmd.exe` outside any sandbox can read other users' files in `C:\Sandbox\xxx`. By default in Windows 7+, the `C:\Users\UserA` folder is not readable by **UserB**. All files edited or created during the sandbox processing are affected by the vulnerability. All files in C:\Users are safe. If `UserB` runs a cmd in a sandbox, he will be able to access `C:\Sandox\UserA`. In addition, if **UserB** create a folder `C:\Sandbox\UserA` with malicious ACLs, when **UserA** will user the sandbox, Sandboxie doesn't reset ACLs ! This issue has not yet been fixed. Users are advised to limit access to their systems using Sandboxie.

Reserved 2024-10-14 | Published 2024-11-29 | Updated 2024-12-02 | Assigner GitHub_M


CRITICAL: 9.2CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

< v1.14.6 / 5.69.6
affected

References

github.com/...dboxie/security/advisories/GHSA-4chj-3c28-gvmp

cve.org (CVE-2024-49360)

nvd.nist.gov (CVE-2024-49360)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-49360

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.