gsd-2024-29187
Vulnerability from gsd
Modified
2024-04-02 05:02
Details
WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5.
Aliases
{
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2024-29187"
],
"details": "WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\\Windows\\Temp to drop and load multiple binaries. Standard users can hijack the binary before it\u0027s loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5.",
"id": "GSD-2024-29187",
"modified": "2024-04-02T05:02:57.648979Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2024-29187",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "issues",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "\u003c 3.14.1"
},
{
"version_affected": "=",
"version_value": "\u003e= 4.0.0, \u003c 4.0.5"
}
]
}
}
]
},
"vendor_name": "wixtoolset"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\\Windows\\Temp to drop and load multiple binaries. Standard users can hijack the binary before it\u0027s loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-732",
"lang": "eng",
"value": "CWE-732: Incorrect Permission Assignment for Critical Resource"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r",
"refsource": "MISC",
"url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r"
},
{
"name": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7",
"refsource": "MISC",
"url": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7"
},
{
"name": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9",
"refsource": "MISC",
"url": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9"
}
]
},
"source": {
"advisory": "GHSA-rf39-3f98-xr7r",
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"cve": {
"descriptions": [
{
"lang": "en",
"value": "WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\\Windows\\Temp to drop and load multiple binaries. Standard users can hijack the binary before it\u0027s loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5."
}
],
"id": "CVE-2024-29187",
"lastModified": "2024-03-25T01:51:01.223",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-03-24T20:15:08.003",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
}
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.