CVE-2022-24696: 
Homebrew vulnerability analysis and mitigation

CVE-2022-24696 affects Mirametrix Glance versions prior to 5.1.1.42207 (released on 2018-08-30). The vulnerability allows local attackers to elevate privileges on affected systems. This issue specifically pertains to Mirametrix's Glance software and is unrelated to products from glance.com and glance.net websites (NVD).

The vulnerability exists in the MaseService component of Mirametrix Glance. The service configuration allows the built-in Users group to have 'Change Config' permissions, enabling all users to manipulate the service configuration. The default location for the service binary is C:\Program Files\Mirametrix\MaseService\bin\MaseService.exe, and the service runs as the Local Service account. The vulnerability has a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (TrustedSec).

The vulnerability allows local users to escalate privileges from Local Service to SYSTEM level access on affected systems. This enables attackers to execute arbitrary commands with system-level privileges, potentially leading to complete system compromise (TrustedSec).

To address this vulnerability, users must uninstall the existing version of Glance and install the latest version from the Microsoft Store. The fix involves removing the vulnerable version and installing the updated Microsoft Store-based application, which does not contain the security issue. Lenovo is working on implementing guidance through their Vantage application to help users remove old versions of Glance (Mirametrix, TrustedSec).