CVE-2022-24286

EPSS 0.03%
Published 10.03.2022 17:46:03
Last modified 21.11.2024 06:50:05
Source cve@mitre.org
Teams watchlist Login
Open Login

Acer QuickAccess 2.01.300x before 2.01.3030 and 3.00.30xx before 3.00.3038 contains a local privilege escalation vulnerability. The user process communicates with a service of system authority through a named pipe. In this case, the Named Pipe is also given Read and Write rights to the general user. In addition, the service program does not verify the user when communicating. A thread may exist with a specific command. When the path of the program to be executed is sent, there is a local privilege escalation in which the service program executes the path with system privileges.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Acer ≫ Quickaccess Version >= 2.01.3000 < 2.01.3030

Acer ≫ Quickaccess Version >= 3.00.3000 < 3.00.3038

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.03%	0.052

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.2	3.9	10	AV:L/AC:L/Au:N/C:C/I:C/A:C

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://community.acer.com/en/kb/articles/14762

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2022-24286

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-24286

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-24286

EUVD