RayVentory Scan Engine through 12.6 Update 8 allows attackers to gain privileges if they control the value of the PATH environment variable. NOTE: this is disputed because ability of an attacker to control the environment is a site-specific misconfiguration.
The RayVentory Scan Engine application during operation references external executable files or libraries using the PATH environment variable without validation or sanitization. If an attacker has the ability to modify the PATH variable (e.g., through access to the account running the service), they can substitute a malicious executable file with the same name as the one called by the application. When the application is launched, the malicious file will be executed with the privileges of the RayVentory Scan Engine process.
An attacker can gain elevated privileges in the operating system, which may consequently lead to complete system takeover, data disclosure, or data modification.
RayVentory Scan Engine should be updated to the version indicated by the vendor as secure (see: https://support.raynet.de/hc/en-us/articles/19518792826132-RVY200865-RayVentory-12-6). Additionally, it is recommended to ensure that no unprivileged user has the ability to modify the PATH environment variable for processes running the service. The system service should be launched with the minimum necessary privileges and with a strictly defined, secure runtime environment.
RayVentory Scan Engine in versions up to and including 12.6 Update 8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H