CVE-2024-7457
BaseFortify
Publication date: 2025-06-11
Last updated on: 2025-06-12
Assigner: Pentraze
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the ws.stash.app.mac.daemon.helper tool due to incorrect use of macOS's authorization model. Instead of verifying the client's authorization, the helper uses its own privileged root context to authorize actions, effectively granting itself elevated rights regardless of the client's privileges. This flaw allows unprivileged clients to perform privileged operations via XPC, such as changing system-wide network proxy settings without authorization. Additionally, the lack of proper code-signing checks means arbitrary processes can exploit this vulnerability, potentially enabling man-in-the-middle (MITM) attacks by redirecting network traffic.
How can this vulnerability impact me? :
This vulnerability can allow attackers or unprivileged users to make unauthorized changes to system-wide network preferences, including SOCKS, HTTP, and HTTPS proxy settings. Such changes can redirect network traffic through malicious proxies, enabling man-in-the-middle (MITM) attacks. This compromises the confidentiality, integrity, and availability of network communications and can lead to data interception, manipulation, or disruption.