CVE-2022-45304: n/a in n/a
Insecure permissions in Chocolatey Cmder package v1.3.20 and below grants all users in the Authenticated Users group write privileges for the path C:\tools\Cmder and all files located in that folder.
AI Analysis
Technical Summary
CVE-2022-45304 describes a security vulnerability related to insecure permissions in the Chocolatey Cmder package version 1.3.20 and earlier. Specifically, the vulnerability arises because the directory path C:\tools\Cmder and all files within this folder are granted write privileges to all users belonging to the 'Authenticated Users' group on Windows systems. This permission misconfiguration corresponds to CWE-732 (Incorrect Permission Assignment for Critical Resource). The vulnerability allows any authenticated user on the system to modify, replace, or delete files within the Cmder installation directory. Cmder is a popular portable console emulator for Windows, often used by developers and IT professionals to enhance command-line experience. Since the affected path is writable by all authenticated users, an attacker with low privileges could potentially inject malicious code or replace legitimate executables or scripts with malicious ones. This could lead to privilege escalation or persistence mechanisms if the compromised files are executed by higher-privileged users or system processes. The CVSS v3.1 base score is 4.3 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). There are no known exploits in the wild as of the publication date (November 29, 2022), and no official patch links have been provided. The vulnerability is primarily a local privilege escalation risk due to improper file system permissions, which could be leveraged in multi-user environments or systems where multiple authenticated users have access. The lack of user interaction requirement and low attack complexity make it easier to exploit once local access is obtained. However, remote exploitation is not directly possible without prior access.
Potential Impact
For European organizations, this vulnerability poses a moderate risk primarily in environments where Cmder is deployed on shared or multi-user Windows systems. Organizations with developer workstations, IT operations machines, or build servers using Cmder could be at risk of local privilege escalation or persistence attacks. The integrity of system files and scripts could be compromised, potentially leading to unauthorized code execution or lateral movement within internal networks. While confidentiality and availability impacts are minimal, the integrity impact could facilitate further attacks such as credential theft or deployment of malware. This is particularly relevant for organizations in sectors with high regulatory requirements (e.g., finance, healthcare, critical infrastructure) where maintaining system integrity is crucial. Since the vulnerability requires authenticated user access, the threat is more significant in environments with many users or where endpoint security controls are weak. Additionally, the lack of a patch means organizations must rely on mitigating controls until an update is available. The risk is lower for organizations that do not use Cmder or do not install it in the affected path with default permissions.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should take the following specific actions: 1) Immediately audit the permissions on the C:\tools\Cmder directory and all subfiles on systems where Cmder is installed. Ensure that write permissions are restricted to trusted administrators only, removing write access from the 'Authenticated Users' group. 2) If possible, uninstall or avoid using Cmder versions 1.3.20 and below until a patched version is released. 3) Implement application whitelisting or endpoint protection solutions that monitor and block unauthorized modifications to critical directories and executables, including the Cmder installation path. 4) Employ least privilege principles for user accounts to minimize the number of users with write access to system directories. 5) Monitor file integrity using tools such as Windows File Integrity Monitoring (FIM) to detect unauthorized changes in the Cmder directory. 6) Educate users about the risks of installing software with insecure permissions and enforce secure installation procedures. 7) Consider isolating developer or IT workstations with Cmder from sensitive production environments to limit potential lateral movement. 8) Regularly review and update group policies and security baselines to prevent insecure permission assignments. These measures go beyond generic advice by focusing on permission audits, endpoint controls, and operational practices tailored to the nature of this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Poland, Italy
CVE-2022-45304: n/a in n/a
Description
Insecure permissions in Chocolatey Cmder package v1.3.20 and below grants all users in the Authenticated Users group write privileges for the path C:\tools\Cmder and all files located in that folder.
AI-Powered Analysis
Technical Analysis
CVE-2022-45304 describes a security vulnerability related to insecure permissions in the Chocolatey Cmder package version 1.3.20 and earlier. Specifically, the vulnerability arises because the directory path C:\tools\Cmder and all files within this folder are granted write privileges to all users belonging to the 'Authenticated Users' group on Windows systems. This permission misconfiguration corresponds to CWE-732 (Incorrect Permission Assignment for Critical Resource). The vulnerability allows any authenticated user on the system to modify, replace, or delete files within the Cmder installation directory. Cmder is a popular portable console emulator for Windows, often used by developers and IT professionals to enhance command-line experience. Since the affected path is writable by all authenticated users, an attacker with low privileges could potentially inject malicious code or replace legitimate executables or scripts with malicious ones. This could lead to privilege escalation or persistence mechanisms if the compromised files are executed by higher-privileged users or system processes. The CVSS v3.1 base score is 4.3 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). There are no known exploits in the wild as of the publication date (November 29, 2022), and no official patch links have been provided. The vulnerability is primarily a local privilege escalation risk due to improper file system permissions, which could be leveraged in multi-user environments or systems where multiple authenticated users have access. The lack of user interaction requirement and low attack complexity make it easier to exploit once local access is obtained. However, remote exploitation is not directly possible without prior access.
Potential Impact
For European organizations, this vulnerability poses a moderate risk primarily in environments where Cmder is deployed on shared or multi-user Windows systems. Organizations with developer workstations, IT operations machines, or build servers using Cmder could be at risk of local privilege escalation or persistence attacks. The integrity of system files and scripts could be compromised, potentially leading to unauthorized code execution or lateral movement within internal networks. While confidentiality and availability impacts are minimal, the integrity impact could facilitate further attacks such as credential theft or deployment of malware. This is particularly relevant for organizations in sectors with high regulatory requirements (e.g., finance, healthcare, critical infrastructure) where maintaining system integrity is crucial. Since the vulnerability requires authenticated user access, the threat is more significant in environments with many users or where endpoint security controls are weak. Additionally, the lack of a patch means organizations must rely on mitigating controls until an update is available. The risk is lower for organizations that do not use Cmder or do not install it in the affected path with default permissions.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should take the following specific actions: 1) Immediately audit the permissions on the C:\tools\Cmder directory and all subfiles on systems where Cmder is installed. Ensure that write permissions are restricted to trusted administrators only, removing write access from the 'Authenticated Users' group. 2) If possible, uninstall or avoid using Cmder versions 1.3.20 and below until a patched version is released. 3) Implement application whitelisting or endpoint protection solutions that monitor and block unauthorized modifications to critical directories and executables, including the Cmder installation path. 4) Employ least privilege principles for user accounts to minimize the number of users with write access to system directories. 5) Monitor file integrity using tools such as Windows File Integrity Monitoring (FIM) to detect unauthorized changes in the Cmder directory. 6) Educate users about the risks of installing software with insecure permissions and enforce secure installation procedures. 7) Consider isolating developer or IT workstations with Cmder from sensitive production environments to limit potential lateral movement. 8) Regularly review and update group policies and security baselines to prevent insecure permission assignments. These measures go beyond generic advice by focusing on permission audits, endpoint controls, and operational practices tailored to the nature of this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2022-11-14T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d983fc4522896dcbf04d5
Added to database: 5/21/2025, 9:09:19 AM
Last enriched: 6/24/2025, 12:14:18 PM
Last updated: 8/12/2025, 4:00:56 PM
Views: 12
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.