Osquery
Monthly
Local privilege escalation in osquery on Windows prior to 5.23.1 lets a standard (unprivileged) user escalate to SYSTEM by planting a maliciously crafted process whose Process Environment Block (PEB) contains oversized command-line or current-directory strings. When the osquery agent - typically running as SYSTEM - queries the `processes` table against that process, unchecked PEB string lengths trigger a heap-based out-of-bounds write (CWE-122). No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Local privilege escalation in osquery on Windows prior to 5.23.1 lets a standard user escalate to SYSTEM by planting a maliciously crafted binary and having the authenticode table query it, triggering a heap out-of-bounds write in the getOriginalProgramName publisher-parsing routine. The flaw is a CWE-122 heap buffer overflow reachable whenever osquery (typically running as SYSTEM) evaluates authenticode publisher metadata against attacker-controlled files. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS was not provided.
File carve operations in osquery prior to 5.23.1 expose sensitive data due to world-readable temporary directory permissions, allowing a local unprivileged attacker to read carve contents during the collection window. If the carve targets a directory the attacker controls, the impact extends to arbitrary local file reads. No public exploit identified at time of analysis; the vendor-confirmed fix ships in osquery 5.23.1.
osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Rated medium severity (CVSS 5.2), this vulnerability is low attack complexity. Public exploit code available.
osquery before version 4.4.0 enables a privilege escalation vulnerability. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. Public exploit code available.
Incorrect validation of the TLS SNI hostname in osquery versions after 2.9.0 and before 4.2.0 could allow an attacker to MITM osquery traffic in the absence of a configured root chain of trust. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
In some configurations an attacker can inject a new executable path into the extensions.load file for osquery and hard link a parent folder of a malicious binary to a folder with known 'safe'. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
An issue was discovered in osquery. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Local privilege escalation in osquery on Windows prior to 5.23.1 lets a standard (unprivileged) user escalate to SYSTEM by planting a maliciously crafted process whose Process Environment Block (PEB) contains oversized command-line or current-directory strings. When the osquery agent - typically running as SYSTEM - queries the `processes` table against that process, unchecked PEB string lengths trigger a heap-based out-of-bounds write (CWE-122). No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Local privilege escalation in osquery on Windows prior to 5.23.1 lets a standard user escalate to SYSTEM by planting a maliciously crafted binary and having the authenticode table query it, triggering a heap out-of-bounds write in the getOriginalProgramName publisher-parsing routine. The flaw is a CWE-122 heap buffer overflow reachable whenever osquery (typically running as SYSTEM) evaluates authenticode publisher metadata against attacker-controlled files. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS was not provided.
File carve operations in osquery prior to 5.23.1 expose sensitive data due to world-readable temporary directory permissions, allowing a local unprivileged attacker to read carve contents during the collection window. If the carve targets a directory the attacker controls, the impact extends to arbitrary local file reads. No public exploit identified at time of analysis; the vendor-confirmed fix ships in osquery 5.23.1.
osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Rated medium severity (CVSS 5.2), this vulnerability is low attack complexity. Public exploit code available.
osquery before version 4.4.0 enables a privilege escalation vulnerability. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. Public exploit code available.
Incorrect validation of the TLS SNI hostname in osquery versions after 2.9.0 and before 4.2.0 could allow an attacker to MITM osquery traffic in the absence of a configured root chain of trust. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
In some configurations an attacker can inject a new executable path into the extensions.load file for osquery and hard link a parent folder of a malicious binary to a folder with known 'safe'. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
An issue was discovered in osquery. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.