#VU83466 Path traversal in Intel products - CVE-2023-24592

Cybersecurity Help s.r.o.

Published: 2023-11-23

Vulnerability identifier: #VU83466

Vulnerability risk: Low

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-24592

CWE-ID: CWE-22

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Intel Advisor
Other software / Other software solutions
Intel Inspector
Hardware solutions / Firmware
Intel oneAPI Base Toolkit
Universal components / Libraries / Software for developers
Intel oneAPI HPC Toolkit
Universal components / Libraries / Software for developers
MPI Library
Universal components / Libraries / Libraries used by multiple products

Vendor: Intel

Description

The vulnerability allows a local user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A local user can send a specially crafted HTTP request and read arbitrary files on the system, leading to privilege escalation.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Intel Advisor: before 2023.1

Intel Inspector: before 2023.1

Intel oneAPI Base Toolkit: before 2023.1

Intel oneAPI HPC Toolkit: before 2023.1

MPI Library: before 2021.9

External links
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00841.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Intel oneAPI Toolkit and Component