CVE-2022-22262
ASUS Armoury Crate & Aura Creator Installer之ROG Live Service - Improper Link Resolution Before File Access
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
ROG Live Service’s function for deleting temp files created by installation has an improper link resolution before file access vulnerability. Since this function does not validate the path before deletion, an unauthenticated local attacker can create an unexpected symbolic link to system file path, to delete arbitrary system files and disrupt system service.
La función de ROG Live Service para borrar los archivos temporales creados por la instalación presenta una vulnerabilidad de resolución de enlaces incorrecta antes del acceso a los archivos. Dado que esta función no comprueba la ruta antes de la eliminación, un atacante local no autenticado puede crear un enlace simbólico no esperado a la ruta de archivos del sistema, para eliminar archivos arbitrarios del sistema e interrumpir el servicio del mismo.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-12-29 CVE Reserved
- 2022-03-01 CVE Published
- 2024-09-17 CVE Updated
- 2024-11-14 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-59: Improper Link Resolution Before File Access ('Link Following')
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| https://www.twcert.org.tw/tw/cp-132-5693-f108f-1.html | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Asus Search vendor "Asus" | Rog Live Service Search vendor "Asus" for product "Rog Live Service" | < 1.3.3.0 Search vendor "Asus" for product "Rog Live Service" and version " < 1.3.3.0" | - |
Affected
| ||||||