CVE-2024-29187

WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5.

CVSS v3 7.3 HIGH

7.3^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.3 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r
https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7
https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9
https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r
https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7
https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9

Configurations

No configuration.

History

21 Nov 2024, 09:07

Type	Values Removed	Values Added
Summary		(es) El conjunto de herramientas WiX permite a los desarrolladores crear instaladores para Windows Installer, el motor de instalación de Windows. Cuando un paquete se ejecuta como usuario del SYSTEMA, Burn usa GetTempPathW que apunta a un directorio inseguro C:\Windows\Temp para colocar y cargar múltiples archivos binarios. Los usuarios estándar pueden secuestrar el binario antes de que se cargue en la aplicación, lo que resulta en una elevación de privilegios. Esta vulnerabilidad se solucionó en 3.14.1 y 4.0.5.
References	~~() https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r -~~	() https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r -
References	~~() https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7 -~~	() https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7 -
References	~~() https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9 -~~	() https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9 -

24 Mar 2024, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-03-24 20:15

Updated : 2024-11-21 09:07

NVD link : CVE-2024-29187

Mitre link : CVE-2024-29187

CVE.ORG link : CVE-2024-29187

JSON object : View

Products Affected

No product.

CWE

CWE-732

Incorrect Permission Assignment for Critical Resource

7.3 /10