Lucene search

TwcertCVELIST:CVE-2022-38699

HistorySep 28, 2022 - 3:25 a.m.

CVE-2022-38699 ASUS Armoury Crate Service - Arbitrary File Creation via Elevation of Privilege Flaw

2022-09-2803:25:34

CWE-59

twcert

www.cve.org

asus

armoury crate service

arbitrary file creation

CVSS3

5.9

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

AI Score

5.9

Confidence

High

EPSS

Percentile

12.6%

JSON

Armoury Crate Service’s logging function has insufficient validation to check if the log file is a symbolic link. A physical attacker with general user privilege can modify the log file property to a symbolic link that points to arbitrary system file, causing the logging function to overwrite the system file and disrupt the system.

CNA Affected

[
  {
    "product": "Armoury Crate Service",
    "vendor": "ASUS",
    "versions": [
      {
        "status": "affected",
        "version": "5.1.5.0"
      }
    ]
  }
]

References

www.twcert.org.tw/tw/cp-132-6522-4eacb-1.html

CVSS3

5.9

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

AI Score

5.9

Confidence

High

EPSS

Percentile

12.6%

JSON

Related for CVELIST:CVE-2022-38699