How could an attacker exploit this vulnerability? An attacker with local access to a machine with Azure Site Recovery (ASR) can execute code that allows escalating privileges to IUSR (or Anonymous User Identity) and could discover MySQL root password, which could result in the discovery of other stored encrypted credentials. Why is this CVE rated as Moderate severity? The attacker can only elevate their privileges to Root on the specific system or database which they are targeting. System privileges cannot be gained and information relating to other systems or database can not be obtained after elevating their privileges. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.
<a href="https://piffd0s.medium.com/">Chris Hernandez</a> with <a href="https://adversaryacademy.com/">Adversary Academy</a>