CVE-2024-23460 Vulnerability Details

  /     /     /  

CVE-2024-23460 Metadata Quick Info

CVE Published: 06/08/2024 | CVE Updated: 06/08/2024 | CVE Year: 2024
Source: Zscaler | Vendor: Zscaler | Product: Client Connector
Status : PUBLISHED

---

CVE-2024-23460 Description

The Zscaler Updater process does not validate the digital signature of the installer before execution, allowing arbitrary code to be locally executed. This affects Zscaler Client Connector on MacOS <4.2.

Metrics

CVSS Version: 3.1 | Base Score: 6.4 MEDIUM
Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

l➤ Exploitability Metrics:
    Attack Vector (AV)* ADJACENT_NETWORK
    Attack Complexity (AC)* HIGH
    Privileges Required (PR)* LOW
    User Interaction (UI)* NONE
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* HIGH
    Integrity Impact (I)* HIGH
    Availability Impact (A)* NONE

Weakness Enumeration (CWE)

CWE-ID: CWE-347
CWE Name: CWE-347 Improper Verification of Cryptographic Signature
Source: Zscaler

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID: CAPEC-558
CAPEC Description: CAPEC-558 Replace Trusted Executable


Source: NVD (National Vulnerability Database).