CVE-2021-45231

10.01.2022, 14:10

A link following privilege escalation vulnerability in Trend Micro Apex One (on-prem and SaaS) and Trend Micro Worry-Free Business Security (10.0 SP1 and Services) could allow a local attacker to create a specially crafted file with arbitrary content which could grant local privilege escalation on the affected system. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Link Following

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
trendmicro	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 11%

Vendor	Product	Version
trendmicro	worry-free_business_security	10.0:sp1
trendmicro	worry-free_business_security_services	-

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-59 - Improper Link Resolution Before File Access ('Link Following')
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References

https://success.trendmicro.com/solution/000289996

https://www.zerodayinitiative.com/advisories/ZDI-22-013/

https://success.trendmicro.com/solution/000289996

https://www.zerodayinitiative.com/advisories/ZDI-22-013/