CVE-2022-45304 : Insecure permissions in Chocolatey Cmder package v1.3.20 and below grants all us

Insecure permissions in Chocolatey Cmder package v1.3.20 and below grants all users in the Authenticated Users group write privileges for the path C:\tools\Cmder and all files located in that folder.

Published 2022-11-29 02:15:09

Updated 2022-12-01 17:11:39

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2022-45304

Chocolatey » Chocolatey Cmder
Versions up to, including, (<=) 1.3.20
cpe:2.3:a:chocolatey:chocolatey_cmder:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-45304

EPSS FAQ

0.04%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 8 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-45304

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	2.8	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE ids for CVE-2022-45304

CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-45304

https://github.com/ycdxsb/Vuln/blob/main/cmder-weak-permission-vuln/cmder-weak-permission-vuln.md

Page not found · GitHub · GitHub
Broken Link;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-45304

Products affected by CVE-2022-45304

Exploit prediction scoring system (EPSS) score for CVE-2022-45304

CVSS scores for CVE-2022-45304

CWE ids for CVE-2022-45304

References for CVE-2022-45304