Headline
CVE-2023-39520: Release 1.9.3 (Windows Only) · cryptomator/cryptomator
Cryptomator encrypts data being stored on cloud infrastructure. The MSI installer provided on the homepage for Cryptomator version 1.9.2 allows local privilege escalation for low privileged users, via the repair function. The problem occurs as the repair function of the MSI is spawning an SYSTEM Powershell without the -NoProfile parameter. Therefore the profile of the user starting the repair will be loaded. Version 1.9.3 contains a fix for this issue. Adding a -NoProfile to the powershell is a possible workaround.
Skip to content
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
- Releases
- 1.9.3
1.9.3
This tag was signed with the committer’s verified signature.
34c0f1d
This commit was signed with the committer’s verified signature.
Changes****Security Fixes 🚨
- Local Privilege Escalation: Windows MSI installer allowed access to admin powershell window (GHSA-62gx-54j7-mjh3), reported by @PfiatDe
As usual, the GPG signatures can be checked using our public key 5811 7AFA 1F85 B3EE C154 677D 615D 449F E6E6 A235.
Full Changelog: 1.9.2…1.9.3
💾 SHA-256 checksums of release artifacts:
4a6ea9d36028cc928623a30d9cfb067929fee901487d537d3113a894aa68b453 .\Cryptomator-1.9.3-x64.exe
769310d33edad3a4c5da5a8f0c00a2a59a536b47307d5e708c08d535c06fdd59 .\Cryptomator-1.9.3-x64.msi