Lucene search

[email protected]CVE-2022-45306

HistoryNov 29, 2022 - 2:15 a.m.

CVE-2022-45306

2022-11-2902:15:09

CWE-732

[email protected]

web.nvd.nist.gov

cve-2022-45306

insecure permissions

chocolatey

azure-pipelines-agent

nvd

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

4.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.9%

JSON

Insecure permissions in Chocolatey Azure-Pipelines-Agent package v2.211.1 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\agent and all files located in that folder.

Affected configurations

NVD

Node

chocolateychocolatey_azure-pipelines-agentRange≤2.211.1

CPENameOperatorVersion
chocolatey:chocolatey_azure-pipelines-agentchocolatey chocolatey azure-pipelines-agentle2.211.1

CPE	Name	Operator	Version
chocolatey:chocolatey_azure-pipelines-agent	chocolatey chocolatey azure-pipelines-agent	le	2.211.1

References

github.com/ycdxsb/Vuln/blob/main/azure-pipelines-agent-weak-permission-vuln/azure-pipelines-agent-weak-permission-vuln.md

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

4.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.9%

JSON

Related for CVE-2022-45306

cvelist1 prion1 nvd1 cnvd1