Lucene search

K
nvd[email protected]NVD:CVE-2022-38699
HistorySep 28, 2022 - 4:15 a.m.

CVE-2022-38699

2022-09-2804:15:13
CWE-59
web.nvd.nist.gov
2
armoury crate service
insufficient validation
privilege escalation
symbolic link manipulation
system disruption

CVSS3

5.9

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS

0

Percentile

12.6%

Armoury Crate Service’s logging function has insufficient validation to check if the log file is a symbolic link. A physical attacker with general user privilege can modify the log file property to a symbolic link that points to arbitrary system file, causing the logging function to overwrite the system file and disrupt the system.

Affected configurations

Nvd
Node
asusarmoury_crate_serviceRange<5.2.10.0
VendorProductVersionCPE
asusarmoury_crate_service*cpe:2.3:a:asus:armoury_crate_service:*:*:*:*:*:*:*:*

CVSS3

5.9

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS

0

Percentile

12.6%

Related for NVD:CVE-2022-38699