AnyDesk 7.0.9 allows a local user to gain SYSTEM privileges via a symbolic link because the user can write to their own %APPDATA% folder (used for ad.trace and chat) but the product runs as SYSTEM when writing chat-room data there.
References
| Link | Resource |
|---|---|
| http://anydesk.com | Vendor Advisory |
| http://packetstormsecurity.com/files/167608/AnyDesk-7.0.9-Arbitrary-File-Write-Denial-Of-Service.html | Exploit Third Party Advisory VDB Entry |
| http://seclists.org/fulldisclosure/2022/Jul/9 | Exploit Mailing List Third Party Advisory |
| https://seclists.org/fulldisclosure/2022/Jun/44 | Exploit Mailing List Third Party Advisory |
Configurations
History
22 Jul 2022, 14:33
| Type | Values Removed | Values Added |
|---|---|---|
| References | (MISC) https://seclists.org/fulldisclosure/2022/Jun/44 - Exploit, Mailing List, Third Party Advisory | |
| References | (MISC) http://packetstormsecurity.com/files/167608/AnyDesk-7.0.9-Arbitrary-File-Write-Denial-Of-Service.html - Exploit, Third Party Advisory, VDB Entry | |
| References | (MISC) http://anydesk.com - Vendor Advisory | |
| References | (FULLDISC) http://seclists.org/fulldisclosure/2022/Jul/9 - Exploit, Mailing List, Third Party Advisory | |
| CWE | CWE-59 | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.1 |
| CPE | cpe:2.3:a:anydesk:anydesk:7.0.9:*:*:*:*:*:*:* | |
| First Time |
Anydesk
Anydesk anydesk |
20 Jul 2022, 05:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
18 Jul 2022, 19:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
18 Jul 2022, 13:25
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2022-07-18 13:15
Updated : 2023-12-10 14:35
NVD link : CVE-2022-32450
Mitre link : CVE-2022-32450
CVE.ORG link : CVE-2022-32450
JSON object : View
Products Affected
anydesk
- anydesk
CWE
CWE-59
Improper Link Resolution Before File Access ('Link Following')