Details of VAR-202209-2031

ID

VAR-202209-2031

CVE

CVE-2022-38699

TITLE

ASUSTeK Computer Inc. of armoury crate service Link interpretation vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-017909

DESCRIPTION

Armoury Crate Service’s logging function has insufficient validation to check if the log file is a symbolic link. A physical attacker with general user privilege can modify the log file property to a symbolic link that points to arbitrary system file, causing the logging function to overwrite the system file and disrupt the system. ASUSTeK Computer Inc. of armoury crate service Exists in a link interpretation vulnerability.Information is tampered with and service operation is interrupted (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2022-38699 // JVNDB: JVNDB-2022-017909 // VULHUB: VHN-434471

AFFECTED PRODUCTS

vendor:	asus	model:	armoury crate service	scope:	lt	version:	5.2.10.0	Trust: 1.0
vendor:	asustek computer	model:	armoury crate service	scope:	eq	version:	-	Trust: 0.8
vendor:	asustek computer	model:	armoury crate service	scope:	eq	version:	5.2.10.0	Trust: 0.8
vendor:	asustek computer	model:	armoury crate service	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-017909 // NVD: CVE-2022-38699

CVSS

SEVERITY

CVSSV2

CVSSV3

twcert@cert.org.tw:	CVE-2022-38699
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2022-017909
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202209-2834
value:	MEDIUM
Trust: 0.6

twcert@cert.org.tw:	CVE-2022-38699
baseSeverity:	MEDIUM
baseScore:	5.9
vectorString:	CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.7
impactScore:	5.2
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2022-017909
baseSeverity:	MEDIUM
baseScore:	5.9
vectorString:	CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-017909 // CNNVD: CNNVD-202209-2834 // NVD: CVE-2022-38699

PROBLEMTYPE DATA

problemtype:	CWE-59	Trust: 1.1
problemtype:	Link interpretation problem (CWE-59) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-434471 // JVNDB: JVNDB-2022-017909 // NVD: CVE-2022-38699

TYPE

post link

Trust: 0.6

sources: CNNVD: CNNVD-202209-2834

PATCH

title:

ASUS Armoury Crate Service Post-link vulnerability fixes

url:

http://123.124.177.30/web/xxk/bdxqById.tag?id=209672

Trust: 0.6

sources: CNNVD: CNNVD-202209-2834

EXTERNAL IDS

db:	NVD	id:	CVE-2022-38699	Trust: 3.3
db:	JVNDB	id:	JVNDB-2022-017909	Trust: 0.8
db:	CNNVD	id:	CNNVD-202209-2834	Trust: 0.6
db:	VULHUB	id:	VHN-434471	Trust: 0.1

sources: VULHUB: VHN-434471 // JVNDB: JVNDB-2022-017909 // CNNVD: CNNVD-202209-2834 // NVD: CVE-2022-38699

REFERENCES

url:	https://www.twcert.org.tw/tw/cp-132-6522-4eacb-1.html	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2022-38699	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-38699/	Trust: 0.6

sources: VULHUB: VHN-434471 // JVNDB: JVNDB-2022-017909 // CNNVD: CNNVD-202209-2834 // NVD: CVE-2022-38699

SOURCES

db:	VULHUB	id:	VHN-434471
db:	JVNDB	id:	JVNDB-2022-017909
db:	CNNVD	id:	CNNVD-202209-2834
db:	NVD	id:	CVE-2022-38699

LAST UPDATE DATE

2024-08-14T14:55:15.323000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-434471	date:	2022-09-30T00:00:00
db:	JVNDB	id:	JVNDB-2022-017909	date:	2023-10-17T08:04:00
db:	CNNVD	id:	CNNVD-202209-2834	date:	2022-10-08T00:00:00
db:	NVD	id:	CVE-2022-38699	date:	2022-09-30T13:01:18.967

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-434471	date:	2022-09-28T00:00:00
db:	JVNDB	id:	JVNDB-2022-017909	date:	2023-10-17T00:00:00
db:	CNNVD	id:	CNNVD-202209-2834	date:	2022-09-28T00:00:00
db:	NVD	id:	CVE-2022-38699	date:	2022-09-28T04:15:13.857