SES Evolution agent arbitrary file creation (CVE-2023-35799)

Advisory ID CVE Number Date discovered Severity Advisory revision
STORM-2023-022 CVE-2023-35799 06/14/2023 low v1

Vulnerability details

An interactive user can use the SES Evolution agent to create an arbitrary file with local system privileges.

Impacted products

Stormshield Endpoint Security low SES is impacted


Version Date Description
v1 Initial release

Stormshield Endpoint Security

CVSS v3.1 Overall Score: 3.4      


Impacted version

An interactive user can use the SES Evolution agent to create arbitrary files with local system privileges. This does not allow to replace existing files and does not allow to control the create file contents. This allows to cause denial of service for arbitrary components, including system processes and SES Evolution agent processes.

  • SES 2.0.0 to 2.3.2

Workaround solution


There is no workaround solution.

The 2.4.1 update fixes this vulnerability.

Attack Vector Attack Complexity Privileges Required User Interaction Scope Confidentiality Impact Integrity Impact Availability impact
Local Low Low None Unchanged None None High
CVSS Base score: 5.5 CVSS Vector: (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Exploit Code Maturity Remediation Level Report Confidence
Proof of concept code Official fix Confirmed
CVSS Temporal score: 5 CVSS Vector: (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C)
Confidentiality Requirement Integrity Requirement Availability Requirement
Low Low Low
CVSS Environmental score: 3.4 CVSS Vector: (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)