Insecure link following in Trend Micro Password Manager for Windows



Published: 2022-05-10 | Updated: 2022-05-13
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-30523
CWE-ID CWE-59
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe
Password Manager for Windows
Client/Desktop applications / Other client software

Vendor Trend Micro

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Link following

EUVDB-ID: #VU62905

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-30523

CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')

Exploit availability: No

Description

The vulnerability allows a local user to delete arbitrary files on the system.

The vulnerability exists due to insecure link following. A local user can create a specially crafted symbolic link on the system and delete arbitrary files with SYSTEM privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Password Manager for Windows: 5.0.0.1076 - 5.0.1058


CPE2.3 External links

http://helpcenter.trendmicro.com/en-us/article/TMKA-09071
http://www.zerodayinitiative.com/advisories/ZDI-22-759/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###