cve-2024-29188
Vulnerability from cvelistv5
Published
2024-03-24 19:46
Modified
2024-08-02 01:10
Severity ?
7.9 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H
Summary
Malicious directory junction can cause WiX RemoveFoldersEx to possibly delete elevated files
References
security-advisories@github.comhttps://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg
security-advisories@github.comhttps://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742
security-advisories@github.comhttps://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a
Impacted products
wixtoolsetissues
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-29188",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-28T18:20:54.492822Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:57:33.971Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T01:10:54.532Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg"
          },
          {
            "name": "https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742"
          },
          {
            "name": "https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "issues",
          "vendor": "wixtoolset",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.14.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.0.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. The custom action behind WiX\u0027s `RemoveFolderEx` functionality could allow a standard user to delete protected directories. `RemoveFolderEx` deletes an entire directory tree during installation or uninstallation. It does so by recursing every subdirectory starting at a specified directory and adding each subdirectory to the list of directories Windows Installer should delete. If the setup author instructed `RemoveFolderEx` to delete a per-user folder from a per-machine installer, an attacker could create a directory junction in that per-user folder pointing to a per-machine, protected directory. Windows Installer, when executing the per-machine installer after approval by an administrator, would delete the target of the directory junction. This vulnerability is fixed in 3.14.1 and 4.0.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-24T19:46:25.875Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg"
        },
        {
          "name": "https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742"
        },
        {
          "name": "https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a"
        }
      ],
      "source": {
        "advisory": "GHSA-jx4p-m4wm-vvjg",
        "discovery": "UNKNOWN"
      },
      "title": "Malicious directory junction can cause WiX RemoveFoldersEx to possibly delete elevated files"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-29188",
    "datePublished": "2024-03-24T19:46:25.875Z",
    "dateReserved": "2024-03-18T17:07:00.094Z",
    "dateUpdated": "2024-08-02T01:10:54.532Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-29188\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-03-24T20:15:08.243\",\"lastModified\":\"2024-03-25T01:51:01.223\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. The custom action behind WiX\u0027s `RemoveFolderEx` functionality could allow a standard user to delete protected directories. `RemoveFolderEx` deletes an entire directory tree during installation or uninstallation. It does so by recursing every subdirectory starting at a specified directory and adding each subdirectory to the list of directories Windows Installer should delete. If the setup author instructed `RemoveFolderEx` to delete a per-user folder from a per-machine installer, an attacker could create a directory junction in that per-user folder pointing to a per-machine, protected directory. Windows Installer, when executing the per-machine installer after approval by an administrator, would delete the target of the directory junction. This vulnerability is fixed in 3.14.1 and 4.0.5.\"},{\"lang\":\"es\",\"value\":\"El conjunto de herramientas WiX permite a los desarrolladores crear instaladores para Windows Installer, el motor de instalaci\u00f3n de Windows. La acci\u00f3n personalizada detr\u00e1s de la funcionalidad `RemoveFolderEx` de WiX podr\u00eda permitir a un usuario est\u00e1ndar eliminar directorios protegidos. `RemoveFolderEx` elimina un \u00e1rbol de directorios completo durante la instalaci\u00f3n o desinstalaci\u00f3n. Lo hace recurriendo a cada subdirectorio comenzando en un directorio espec\u00edfico y agregando cada subdirectorio a la lista de directorios que Windows Installer debe eliminar. Si el autor de la instalaci\u00f3n indic\u00f3 a `RemoveFolderEx` que eliminara una carpeta por usuario de un instalador por m\u00e1quina, un atacante podr\u00eda crear una uni\u00f3n de directorios en esa carpeta por usuario que apunte a un directorio protegido por m\u00e1quina. Windows Installer, al ejecutar el instalador por m\u00e1quina despu\u00e9s de la aprobaci\u00f3n de un administrador, eliminar\u00eda el destino de la uni\u00f3n del directorio. Esta vulnerabilidad se solucion\u00f3 en 3.14.1 y 4.0.5.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.9,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.5,\"impactScore\":5.8}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-59\"}]}],\"references\":[{\"url\":\"https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.