2023-11 security advisory
Your trust in our products and service means the world to us, and we are committed to being proactive and keeping you informed about any security updates to our software.
As part of this proactive stance, we have released security updates for AppsAnywhere Server 2.11, 2.12, 3.0 and 3.1 (patch AA-5085) and AppsAnywhere Client (1.6.1, 2.0.1). These new releases resolve two security issues (CVE-2023-41138 / CVE-2023-41137) and we recommend all customers who haven't already applied these updates to do so by contacting our support team.
Below are the details of these two issues identified.
AppsAnywhere macOS Client - CVE-2023-41138 - Bad privilege assignment
Summary | The AppsAnywhere macOS client-privileged helper can be tricked into executing arbitrary commands with elevated permissions by a local user process. |
|---|---|
Advisory release date | 2023-11-09 |
Product | AppsAnywhere Client |
Affected versions |
|
Fixed versions |
|
CVE ID(s) | CVE-2023-41138 |
CVSS | 7.5 (High) - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
Discovered by | Gaelan Steele |
AppsAnywhere Client - CVE-2023-41137 - Cryptographic error
Summary | Symmetric encryption used to protect messages between the AppsAnywhere server and client can be broken by reverse engineering the client and used to impersonate the AppsAnywhere server. |
|---|---|
Advisory release date | 2023-11-09 |
Product | AppsAnywhere Client |
Affected versions |
|
Fixed versions |
Fixed versions of the AppsAnywhere client require a compatible AppsAnywhere server version. Older server versions are incompatible. Compatible server versions:
|
CVE ID(s) | CVE-2023-41137 |
CVSS | 8.0 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
Discovered by | Gaelan Steele |
