Xi-Tauw

**Name of the Vulnerable Software and Affected Versions** Yandex Browser versions prior to 22.3.3.801 **Description** The issue is related to errors in processing temporary files during the update process, which can allow an attacker to elevate their privileges. A local, low-privileged attacker can execute arbitrary code with SYSTEM privileges by manipulating temporary files in a directory with insecure permissions. **Recommendations** For versions prior to 22.3.3.801, update to version 22.3.3.801 or later to resolve the issue. As a temporary workaround, consider restricting access to the temporary files directory to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Yandex Browser versions prior to 22.3.3.684 **Description** The issue is related to errors in handling symbolic links when loading the installation file, which can be exploited to elevate privileges. A local attacker with low privileges can execute arbitrary code with SYSTEM privileges by manipulating symlinks to the installation file during the Yandex Browser update process. **Recommendations** For versions prior to 22.3.3.684, update to version 22.3.3.684 or later to resolve the issue. As a temporary workaround, consider restricting access to the installation file and update process to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ClickHouse versions prior to v20.8.18.32-lts ClickHouse versions prior to v21.1.9.41-stable ClickHouse versions prior to v21.2.9.41-stable ClickHouse versions prior to v21.3.6.55-lts ClickHouse versions prior to v21.4.3.21-stable Yandex Browser for Windows versions prior to 21.9.0.390 **Description** The issue is related to information disclosure and allows a remote attacker to access confidential data. It also involves a local privilege vulnerability that enables a local, low-privileged attacker to execute arbitrary code with SYSTEM privileges by manipulating files in a directory with insecure permissions during the update process of Yandex Browser. An attacker with CREATE DICTIONARY privilege can read arbitrary files outside the permitted directory. **Recommendations** For ClickHouse versions prior to v20.8.18.32-lts, update to version v20.8.18.32-lts or later. For ClickHouse versions prior to v21.1.9.41-stable, update to version v21.1.9.41-stable or later. For ClickHouse versions prior to v21.2.9.41-stable, update to version v21.2.9.41-stable or later. For ClickHouse versions prior to v21.3.6.55-lts, update to version v21.3.6.55-lts or later. For ClickHouse versions prior to v21.4.3.21-stable, update to version v21.4.3.21-stable or later. For Yandex Browser for Windows versions prior to 21.9.0.390, update to version 21.9.0.390 or later. As a temporary workaround, consider restricting the CREATE DICTIONARY privilege to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Yandex Browser versions prior to 22.5.0.862 **Description** The issue is related to errors in processing symbolic links when loading the installation file, which can allow an attacker to elevate their privileges. A local, low-privileged attacker can exploit this to execute arbitrary code with SYSTEM privileges by manipulating symlinks to the installation file during the Yandex Browser update process. **Recommendations** For versions prior to 22.5.0.862, update to version 22.5.0.862 or later to resolve the issue. As a temporary workaround, consider restricting access to the installation file and update process to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Valve Steam Client for Windows versions prior to 2019-08-07 **Description** The issue allows local users to gain NT AUTHORITYSYSTEM access due to explicit "Full control" for the Users group in the HKLMSOFTWAREWow6432NodeValveSteam registry key. **Recommendations** For versions prior to 2019-08-07, consider restricting access to the HKLMSOFTWAREWow6432NodeValveSteam registry key to prevent local users from gaining elevated privileges.