CVE-2024-49360

Summary

Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. An authenticated user (UserA) with no privileges is authorized to read all files created in sandbox belonging to other users in the sandbox folders C:\Sandbox\UserB\xxx. An authenticated attacker who can use explorer.exe or cmd.exe outside any sandbox can read other users' files in C:\Sandbox\xxx. By default in Windows 7+, the C:\Users\UserA folder is not readable by UserB. All files edited or created during the sandbox processing are affected by the vulnerability. All files in C:\Users are safe. If UserB runs a cmd in a sandbox, he will be able to access C:\Sandox\UserA. In addition, if UserB create a folder C:\Sandbox\UserA with malicious ACLs, when UserA will user the sandbox, Sandboxie doesn't reset ACLs ! This issue has not yet been fixed. Users are advised to limit access to their systems using Sandboxie.

Affected Software

VendorProductVersion RangeStatus
sandboxie-plusSandboxie< v1.14.6 / 5.69.6affected

Weaknesses

  • CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References