CVE-2019-12532 Information

Feb 14, 2021 cve

Description

Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege or information disclosure via local access. This is a software vulnerability not a firmware issue. Affected tools include: H2OFFT version 3.02~~5.28 100.00.00.00~~100.00.08.23 and 200.00.00.01~200.00.00.05 H2OOAE before version 200.00.00.02 H2OSDE before version 200.00.00.07 H2OUVE before version 200.00.02.02 H2OPCM before version 100.00.06.00 H2OELV before version 100.00.02.08.

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

https://eclypsium.com/2019/08/10/screwed-drivers-signed-sealed-delivered/ https://www.insyde.com/security-pledge/SA-2019001

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.8

Share on: