CVE-2024-9062

Source
https://cve.org/CVERecord?id=CVE-2024-9062
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-9062.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-9062
Published
2025-06-10T23:25:30.420Z
Modified
2026-07-15T01:48:56.080382680Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
macOS Archify: Local Privilege Escalation
Details

The Archify application contains a local privilege escalation vulnerability due to insufficient client validation in its privileged helper tool, com.oct4pie.archifyhelper, which is exposed via XPC. Archify follows the "factored applications" model, delegating privileged operations—such as arbitrary file deletion and file permission changes—to this helper running as root. However, the helper does not verify the code signature, entitlements, or signing flags of the connecting client. Although macOS provides secure validation mechanisms like auditToken, these are not implemented. As a result, any local process can establish a connection to the helper and invoke privileged functionality, leading to unauthorized execution of actions with root-level privileges.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/9xxx/CVE-2024-9062.json",
    "cwe_ids": [
        "CWE-306"
    ],
    "cna_assigner": "Pentraze"
}
References

Affected packages

Git / github.com/oct4pie/archify

Affected ranges

Type
GIT
Repo
https://github.com/oct4pie/archify
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.3.1"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

v1.*
v1.0.0
v1.1.0
v1.2.0
v1.2.0-fix
v1.3.0
v1.3.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-9062.json"