CVE-2022-45306 is a medium-severity vulnerability related to insecure permissions in the Chocolatey Azure-Pipelines-Agent package version 2.211.1 and earlier. Specifically, the issue arises because the subfolder C:\agent and all files within it are granted write privileges to all users in the Authenticated Users group on Windows systems. This misconfiguration corresponds to CWE-732 (Incorrect Permission Assignment for Critical Resource). The vulnerability allows any authenticated user on the affected system to modify files within the agent directory, potentially leading to unauthorized changes to the agent's operation. Since the Azure Pipelines Agent is used to run CI/CD pipelines, an attacker with write access could tamper with build or deployment scripts, inject malicious code, or disrupt pipeline execution. The CVSS 3.1 base score is 4.3 (medium), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality or availability impact (C:N, A:N), but integrity impact is low (I:L). No known exploits are reported in the wild, and no patches are linked in the provided data. The vulnerability is rooted in improper permission settings rather than a software bug, meaning remediation involves correcting access controls on the affected directories and files. The issue affects Windows environments where the Chocolatey Azure-Pipelines-Agent package is installed and used, which is common in organizations employing Azure DevOps for CI/CD workflows.

For European organizations, this vulnerability could lead to unauthorized modification of CI/CD pipeline agents, potentially allowing malicious actors with authenticated access to alter build or deployment processes. This could result in the injection of malicious code into software releases, undermining software integrity and trust. Although the vulnerability does not directly impact confidentiality or availability, the integrity compromise can have downstream effects including supply chain attacks, deployment of backdoored software, or disruption of development workflows. Organizations relying heavily on Azure DevOps and Chocolatey for automated deployments are at higher risk. The impact is particularly significant for sectors with stringent software integrity requirements such as finance, healthcare, and critical infrastructure. Additionally, since the vulnerability requires authenticated access, insider threats or compromised user accounts could exploit this weakness. The lack of known exploits suggests limited active exploitation, but the potential for misuse remains, especially in environments with lax internal access controls.

Immediately review and correct NTFS permissions on the C:\agent directory and all its contents to restrict write access only to necessary service accounts or administrators, removing write privileges from the Authenticated Users group. Implement the principle of least privilege for all users and service accounts interacting with the Azure Pipelines Agent. Regularly audit permissions on critical directories related to build and deployment agents to detect and remediate improper access rights. Monitor file integrity within the agent directory using file integrity monitoring tools to detect unauthorized changes. Restrict network access to build agents to trusted users and systems to reduce the risk of unauthorized authenticated access. Ensure that all users with access to build agents follow strong authentication practices, including multi-factor authentication where possible. Keep the Azure Pipelines Agent and related tooling up to date with the latest versions and security patches once available. Establish internal policies and training to raise awareness about the risks of improper permissions and insider threats in CI/CD environments.