CVE-2024-29188 (GCVE-0-2024-29188)
Vulnerability from cvelistv5 – Published: 2024-03-24 19:46 – Updated: 2024-08-02 01:10
VLAI?
Summary
WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. The custom action behind WiX's `RemoveFolderEx` functionality could allow a standard user to delete protected directories. `RemoveFolderEx` deletes an entire directory tree during installation or uninstallation. It does so by recursing every subdirectory starting at a specified directory and adding each subdirectory to the list of directories Windows Installer should delete. If the setup author instructed `RemoveFolderEx` to delete a per-user folder from a per-machine installer, an attacker could create a directory junction in that per-user folder pointing to a per-machine, protected directory. Windows Installer, when executing the per-machine installer after approval by an administrator, would delete the target of the directory junction. This vulnerability is fixed in 3.14.1 and 4.0.5.
Severity ?
7.8 (High)
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wixtoolset | issues |
Affected:
< 3.14.1
Affected: >= 4.0.0, < 4.0.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29188",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-28T18:20:54.492822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:57:33.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.532Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg"
},
{
"name": "https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742"
},
{
"name": "https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "issues",
"vendor": "wixtoolset",
"versions": [
{
"status": "affected",
"version": "\u003c 3.14.1"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. The custom action behind WiX\u0027s `RemoveFolderEx` functionality could allow a standard user to delete protected directories. `RemoveFolderEx` deletes an entire directory tree during installation or uninstallation. It does so by recursing every subdirectory starting at a specified directory and adding each subdirectory to the list of directories Windows Installer should delete. If the setup author instructed `RemoveFolderEx` to delete a per-user folder from a per-machine installer, an attacker could create a directory junction in that per-user folder pointing to a per-machine, protected directory. Windows Installer, when executing the per-machine installer after approval by an administrator, would delete the target of the directory junction. This vulnerability is fixed in 3.14.1 and 4.0.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-24T19:46:25.875Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg"
},
{
"name": "https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742"
},
{
"name": "https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a"
}
],
"source": {
"advisory": "GHSA-jx4p-m4wm-vvjg",
"discovery": "UNKNOWN"
},
"title": "Malicious directory junction can cause WiX RemoveFoldersEx to possibly delete elevated files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29188",
"datePublished": "2024-03-24T19:46:25.875Z",
"dateReserved": "2024-03-18T17:07:00.094Z",
"dateUpdated": "2024-08-02T01:10:54.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. The custom action behind WiX\u0027s `RemoveFolderEx` functionality could allow a standard user to delete protected directories. `RemoveFolderEx` deletes an entire directory tree during installation or uninstallation. It does so by recursing every subdirectory starting at a specified directory and adding each subdirectory to the list of directories Windows Installer should delete. If the setup author instructed `RemoveFolderEx` to delete a per-user folder from a per-machine installer, an attacker could create a directory junction in that per-user folder pointing to a per-machine, protected directory. Windows Installer, when executing the per-machine installer after approval by an administrator, would delete the target of the directory junction. This vulnerability is fixed in 3.14.1 and 4.0.5.\"}, {\"lang\": \"es\", \"value\": \"El conjunto de herramientas WiX permite a los desarrolladores crear instaladores para Windows Installer, el motor de instalaci\\u00f3n de Windows. La acci\\u00f3n personalizada detr\\u00e1s de la funcionalidad `RemoveFolderEx` de WiX podr\\u00eda permitir a un usuario est\\u00e1ndar eliminar directorios protegidos. `RemoveFolderEx` elimina un \\u00e1rbol de directorios completo durante la instalaci\\u00f3n o desinstalaci\\u00f3n. Lo hace recurriendo a cada subdirectorio comenzando en un directorio espec\\u00edfico y agregando cada subdirectorio a la lista de directorios que Windows Installer debe eliminar. Si el autor de la instalaci\\u00f3n indic\\u00f3 a `RemoveFolderEx` que eliminara una carpeta por usuario de un instalador por m\\u00e1quina, un atacante podr\\u00eda crear una uni\\u00f3n de directorios en esa carpeta por usuario que apunte a un directorio protegido por m\\u00e1quina. Windows Installer, al ejecutar el instalador por m\\u00e1quina despu\\u00e9s de la aprobaci\\u00f3n de un administrador, eliminar\\u00eda el destino de la uni\\u00f3n del directorio. Esta vulnerabilidad se solucion\\u00f3 en 3.14.1 y 4.0.5.\"}]",
"id": "CVE-2024-29188",
"lastModified": "2024-11-21T09:07:45.513",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H\", \"baseScore\": 7.9, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.5, \"impactScore\": 5.8}]}",
"published": "2024-03-24T20:15:08.243",
"references": "[{\"url\": \"https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-59\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-29188\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-03-24T20:15:08.243\",\"lastModified\":\"2024-11-21T09:07:45.513\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. The custom action behind WiX\u0027s `RemoveFolderEx` functionality could allow a standard user to delete protected directories. `RemoveFolderEx` deletes an entire directory tree during installation or uninstallation. It does so by recursing every subdirectory starting at a specified directory and adding each subdirectory to the list of directories Windows Installer should delete. If the setup author instructed `RemoveFolderEx` to delete a per-user folder from a per-machine installer, an attacker could create a directory junction in that per-user folder pointing to a per-machine, protected directory. Windows Installer, when executing the per-machine installer after approval by an administrator, would delete the target of the directory junction. This vulnerability is fixed in 3.14.1 and 4.0.5.\"},{\"lang\":\"es\",\"value\":\"El conjunto de herramientas WiX permite a los desarrolladores crear instaladores para Windows Installer, el motor de instalaci\u00f3n de Windows. La acci\u00f3n personalizada detr\u00e1s de la funcionalidad `RemoveFolderEx` de WiX podr\u00eda permitir a un usuario est\u00e1ndar eliminar directorios protegidos. `RemoveFolderEx` elimina un \u00e1rbol de directorios completo durante la instalaci\u00f3n o desinstalaci\u00f3n. Lo hace recurriendo a cada subdirectorio comenzando en un directorio espec\u00edfico y agregando cada subdirectorio a la lista de directorios que Windows Installer debe eliminar. Si el autor de la instalaci\u00f3n indic\u00f3 a `RemoveFolderEx` que eliminara una carpeta por usuario de un instalador por m\u00e1quina, un atacante podr\u00eda crear una uni\u00f3n de directorios en esa carpeta por usuario que apunte a un directorio protegido por m\u00e1quina. Windows Installer, al ejecutar el instalador por m\u00e1quina despu\u00e9s de la aprobaci\u00f3n de un administrador, eliminar\u00eda el destino de la uni\u00f3n del directorio. Esta vulnerabilidad se solucion\u00f3 en 3.14.1 y 4.0.5.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H\",\"baseScore\":7.9,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.5,\"impactScore\":5.8}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-59\"}]}],\"references\":[{\"url\":\"https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg\", \"name\": \"https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742\", \"name\": \"https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a\", \"name\": \"https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T01:10:54.532Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-29188\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-28T18:20:54.492822Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:19.859Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"Malicious directory junction can cause WiX RemoveFoldersEx to possibly delete elevated files\", \"source\": {\"advisory\": \"GHSA-jx4p-m4wm-vvjg\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"wixtoolset\", \"product\": \"issues\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.14.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 4.0.0, \u003c 4.0.5\"}]}], \"references\": [{\"url\": \"https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg\", \"name\": \"https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742\", \"name\": \"https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a\", \"name\": \"https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. The custom action behind WiX\u0027s `RemoveFolderEx` functionality could allow a standard user to delete protected directories. `RemoveFolderEx` deletes an entire directory tree during installation or uninstallation. It does so by recursing every subdirectory starting at a specified directory and adding each subdirectory to the list of directories Windows Installer should delete. If the setup author instructed `RemoveFolderEx` to delete a per-user folder from a per-machine installer, an attacker could create a directory junction in that per-user folder pointing to a per-machine, protected directory. Windows Installer, when executing the per-machine installer after approval by an administrator, would delete the target of the directory junction. This vulnerability is fixed in 3.14.1 and 4.0.5.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-59\", \"description\": \"CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-03-24T19:46:25.875Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-29188\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T01:10:54.532Z\", \"dateReserved\": \"2024-03-18T17:07:00.094Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-03-24T19:46:25.875Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…