ASUS Armoury Crate Service - Arbitrary File Creation via Elevation of Privilege Flaw
CVE-2022-38699
5.9MEDIUM
Summary
Armoury Crate Service’s logging function has insufficient validation to check if the log file is a symbolic link. A physical attacker with general user privilege can modify the log file property to a symbolic link that points to arbitrary system file, causing the logging function to overwrite the system file and disrupt the system.
Affected Version(s)
Armoury Crate Service = 5.1.5.0
References
CVSS V3.1
Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Collectors
NVD DatabaseMitre Database