Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Local Privilege Escalation in Sparkle Autoupdate Daemon
Vulnerability Description
The Sparkle framework includes a helper tool Autoupdate. Due to lack of authentication of connecting clients a local unprivileged attacker can request installation of crafted malicious PKG file by racing to connect to the daemon when other app spawns it as root. This results in local privilege escalation to root privileges. It is worth noting that it is possible to spawn Autopudate manually via Installer XPC service. However this requires the victim to enter credentials upon system authorization dialog creation that can be modified by the attacker. This issue was fixed in version 2.7.2
CVSS Information
N/A
Vulnerability Type
授权机制不正确
Vulnerability Title
Sparkle 安全漏洞
Vulnerability Description
Sparkle是Sparkle Project开源的一个macOS的软件更新框架。 Sparkle 2.7.2之前版本存在安全漏洞,该漏洞源于缺少客户端身份验证,可能导致本地权限提升至root权限。
CVSS Information
N/A
Vulnerability Type
N/A