Cyber Resilience

CVE-2022-38699

Medium

Published: 28 September 2022

Published
28 September 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0012 30.4th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-38699 is a medium-severity Link Following (CWE-59) vulnerability in Asus Armoury Crate Service. Its CVSS base score is 5.9 (Medium).

Operationally, ranked at the 30.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Armoury Crate Service’s logging function has insufficient validation to check if the log file is a symbolic link. A physical attacker with general user privilege can modify the log file property to a symbolic link that points to arbitrary system…

more

file, causing the logging function to overwrite the system file and disrupt the system.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

asus
armoury crate service
≤ 5.2.10.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References