CVE-2020-1984

Summary

Secdo tries to execute a script at a hardcoded path if present, which allows a local authenticated user with 'create folders or append data' access to the root of the OS disk (C:) to gain system privileges if the path does not already exist or is writable. This issue affects all versions of Secdo for Windows.

Affected Software

VendorProductVersion RangeStatus
SecdoSecdoall versionsaffected

Weaknesses

  • CWE-73: CWE-73 External Control of File Name or Path

Workarounds

This issue can be mitigated by :

  • Ensure unprivileged users do not have 'create folder' access on the root of filesystem such as C:. or
  • Creating a folder named C:\Common and ensuring unprivileged users do not have 'create folder' access.

ADP Enrichment

CVE Program Container

Additional References

References