CVE-2019-12579
HIGHPrivate Internet Access VPN Client v82 - Local Privilege Escalation via OpenVPN Launcher Parameter Injection
Title source: llmDescription
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to run arbitrary code with elevated privileges. The PIA Linux/macOS binary openvpn_launcher.64 binary is setuid root. This binary accepts several parameters to update the system configuration. These parameters are passed to operating system commands using a "here" document. The parameters are not sanitized, which allow for arbitrary commands to be injected using shell metacharacters. A local unprivileged user can pass special crafted parameters that will be interpolated by the operating system calls.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/mirchr/security-research/blob/master/vulnerabilities/PIA/CVE-2019-12579.txt
Scores
CVSS v3
7.8
EPSS
0.0081
EPSS Percentile
52.0%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (1)
londontrustmedia/private_internet_access_vpn_client
82
Published
Jul 11, 2019
Tracked Since
Feb 18, 2026