CVE-2023-45159 (GCVE-0-2023-45159)

Vulnerability from cvelistv5 – Published: 2023-10-05 10:11 – Updated: 2025-06-18 18:40
VLAI?
Title
1E Client installer can perform arbitrary file deletion on protected files
Summary
1E Client installer can perform arbitrary file deletion on protected files.   A non-privileged user could provide a symbolic link or Windows junction to point to a protected directory in the installer that the 1E Client would then clear on service startup. A hotfix is available from the 1E support portal that forces the 1E Client to check for a symbolic link or junction and if it finds one refuses to use that path and instead creates a path involving a random GUID. for v8.1 use hotfix Q23097 for v8.4 use hotfix Q23105 for v9.0 use hotfix Q23115 for SaaS customers, use 1EClient v23.7 plus hotfix Q23121
Severity ?
8.4 (High)
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
1E
References
Impacted products
Vendor Product Version
1E 1E Client Affected: 0 , < 8.1.2.62 (Q23097)
Affected: 0 , < 8.4.1.159 (Q23105)
Affected: 0 , < 9.0.1.88 (Q23115)
Affected: 0 , < 23.7.1.151 (Q23121)
Create a notification for this product.
Credits
Thanks to Lockheed Martin red team who reported this issue.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T20:14:19.830Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.1e.com/trust-security-compliance/cve-info/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:1e:client:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "client",
            "vendor": "1e",
            "versions": [
              {
                "lessThan": "8.1.2.62",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThan": "8.4.1.159",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThan": "9.0.1.88",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThan": "23.7.1.151",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-45159",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-19T17:33:38.940543Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-17T14:24:11.447Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "platforms": [
            "Windows"
          ],
          "product": "1E Client",
          "vendor": "1E",
          "versions": [
            {
              "changes": [
                {
                  "at": "Q23097",
                  "status": "unaffected"
                }
              ],
              "lessThan": "8.1.2.62",
              "status": "affected",
              "version": "0",
              "versionType": "Q23097"
            },
            {
              "changes": [
                {
                  "at": "Q23105",
                  "status": "unaffected"
                }
              ],
              "lessThan": "8.4.1.159",
              "status": "affected",
              "version": "0",
              "versionType": "Q23105"
            },
            {
              "changes": [
                {
                  "at": "Q23115",
                  "status": "unaffected"
                }
              ],
              "lessThan": "9.0.1.88",
              "status": "affected",
              "version": "0",
              "versionType": "Q23115"
            },
            {
              "changes": [
                {
                  "at": "Q23121",
                  "status": "unaffected"
                }
              ],
              "lessThan": "23.7.1.151",
              "status": "affected",
              "version": "0",
              "versionType": "Q23121"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Thanks to Lockheed Martin red team who reported this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "1E Client installer can perform arbitrary file deletion on protected files.\u0026nbsp;\u0026nbsp;\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA non-privileged user could provide a symbolic link or Windows junction to point to a protected directory in the installer that the 1E Client would then clear on service startup. \u003cbr\u003e\u003cbr\u003eA hotfix is available from the 1E support portal that forces\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ethe 1E Client to check for a symbolic link or junction and if it finds one refuses to use that path and instead creates a path involving a random GUID.\u003cbr\u003e\u003cbr\u003efor v8.1 use hotfix Q23097\u003cbr\u003efor v8.4 use hotfix Q23105\u003cbr\u003efor v9.0 use hotfix Q23115\u003cbr\u003e\u003cbr\u003efor SaaS customers, use 1EClient v23.7 plus hotfix Q23121\u003c/span\u003e\u003c/span\u003e"
            }
          ],
          "value": "1E Client installer can perform arbitrary file deletion on protected files.\u00a0\u00a0\n\nA non-privileged user could provide a symbolic link or Windows junction to point to a protected directory in the installer that the 1E Client would then clear on service startup. \n\nA hotfix is available from the 1E support portal that forces\u00a0the 1E Client to check for a symbolic link or junction and if it finds one refuses to use that path and instead creates a path involving a random GUID.\n\nfor v8.1 use hotfix Q23097\nfor v8.4 use hotfix Q23105\nfor v9.0 use hotfix Q23115\n\nfor SaaS customers, use 1EClient v23.7 plus hotfix Q23121"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-122",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-122 Privilege Abuse"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T18:40:58.223Z",
        "orgId": "4a68d2b9-b68a-4765-95bd-17f35092666b",
        "shortName": "1E"
      },
      "references": [
        {
          "url": "https://www.teamviewer.com/en/resources/trust-center/security-bulletins/1e-2023-2001/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "1E Client installer can perform arbitrary file deletion on protected files",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4a68d2b9-b68a-4765-95bd-17f35092666b",
    "assignerShortName": "1E",
    "cveId": "CVE-2023-45159",
    "datePublished": "2023-10-05T10:11:20.065Z",
    "dateReserved": "2023-10-04T23:59:54.078Z",
    "dateUpdated": "2025-06-18T18:40:58.223Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.1e.com/trust-security-compliance/cve-info/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T20:14:19.830Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-45159\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-19T17:33:38.940543Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:1e:client:*:*:*:*:*:*:*:*\"], \"vendor\": \"1e\", \"product\": \"client\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"8.1.2.62\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"8.4.1.159\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"9.0.1.88\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"23.7.1.151\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-19T17:38:53.606Z\"}}], \"cna\": {\"title\": \"1E Client installer can perform arbitrary file deletion on protected files\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Thanks to Lockheed Martin red team who reported this issue.\"}], \"impacts\": [{\"capecId\": \"CAPEC-122\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-122 Privilege Abuse\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.4, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"1E\", \"product\": \"1E Client\", \"versions\": [{\"status\": \"affected\", \"changes\": [{\"at\": \"Q23097\", \"status\": \"unaffected\"}], \"version\": \"0\", \"lessThan\": \"8.1.2.62\", \"versionType\": \"Q23097\"}, {\"status\": \"affected\", \"changes\": [{\"at\": \"Q23105\", \"status\": \"unaffected\"}], \"version\": \"0\", \"lessThan\": \"8.4.1.159\", \"versionType\": \"Q23105\"}, {\"status\": \"affected\", \"changes\": [{\"at\": \"Q23115\", \"status\": \"unaffected\"}], \"version\": \"0\", \"lessThan\": \"9.0.1.88\", \"versionType\": \"Q23115\"}, {\"status\": \"affected\", \"changes\": [{\"at\": \"Q23121\", \"status\": \"unaffected\"}], \"version\": \"0\", \"lessThan\": \"23.7.1.151\", \"versionType\": \"Q23121\"}], \"platforms\": [\"Windows\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://www.teamviewer.com/en/resources/trust-center/security-bulletins/1e-2023-2001/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"1E Client installer can perform arbitrary file deletion on protected files.\\u00a0\\u00a0\\n\\nA non-privileged user could provide a symbolic link or Windows junction to point to a protected directory in the installer that the 1E Client would then clear on service startup. \\n\\nA hotfix is available from the 1E support portal that forces\\u00a0the 1E Client to check for a symbolic link or junction and if it finds one refuses to use that path and instead creates a path involving a random GUID.\\n\\nfor v8.1 use hotfix Q23097\\nfor v8.4 use hotfix Q23105\\nfor v9.0 use hotfix Q23115\\n\\nfor SaaS customers, use 1EClient v23.7 plus hotfix Q23121\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"1E Client installer can perform arbitrary file deletion on protected files.\u0026nbsp;\u0026nbsp;\\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eA non-privileged user could provide a symbolic link or Windows junction to point to a protected directory in the installer that the 1E Client would then clear on service startup. \u003cbr\u003e\u003cbr\u003eA hotfix is available from the 1E support portal that forces\u0026nbsp;\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003ethe 1E Client to check for a symbolic link or junction and if it finds one refuses to use that path and instead creates a path involving a random GUID.\u003cbr\u003e\u003cbr\u003efor v8.1 use hotfix Q23097\u003cbr\u003efor v8.4 use hotfix Q23105\u003cbr\u003efor v9.0 use hotfix Q23115\u003cbr\u003e\u003cbr\u003efor SaaS customers, use 1EClient v23.7 plus hotfix Q23121\u003c/span\u003e\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-59\", \"description\": \"CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"4a68d2b9-b68a-4765-95bd-17f35092666b\", \"shortName\": \"1E\", \"dateUpdated\": \"2025-05-20T08:25:59.533Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-45159\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-17T14:24:11.447Z\", \"dateReserved\": \"2023-10-04T23:59:54.078Z\", \"assignerOrgId\": \"4a68d2b9-b68a-4765-95bd-17f35092666b\", \"datePublished\": \"2023-10-05T10:11:20.065Z\", \"assignerShortName\": \"1E\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.