CVE-2024-10228

The Vagrant VMWare Utility Windows installer targeted a custom location with a non-protected path that could be modified by an unprivileged user, introducing potential for unauthorized file system writes. This vulnerability, CVE-2024-10228, was fixed in Vagrant VMWare Utility 1.0.23

CVSS v3 3.8 LOW

3.8^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.0 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://discuss.hashicorp.com/t/hcsec-2024-25-vagrant-vmware-utility-installation-files-vulnerable-to-modification-by-unprivileged-user	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:hashicorp:vagrant_vmware_utility:*:*:*:*:*:windows:*:*

History

No history.

Information

Published : 2024-10-29 22:15

Updated : 2024-11-07 17:12

NVD link : CVE-2024-10228

Mitre link : CVE-2024-10228

CVE.ORG link : CVE-2024-10228

JSON object : View

Products Affected

hashicorp

vagrant_vmware_utility

CWE

CWE-732

Incorrect Permission Assignment for Critical Resource

{"id": "CVE-2024-10228", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@hashicorp.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.8, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.0}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.8}]}, "published": "2024-10-29T22:15:03.220", "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2024-25-vagrant-vmware-utility-installation-files-vulnerable-to-modification-by-unprivileged-user", "tags": ["Vendor Advisory"], "source": "security@hashicorp.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@hashicorp.com", "description": [{"lang": "en", "value": "CWE-732"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-732"}]}], "descriptions": [{"lang": "en", "value": "The Vagrant VMWare Utility Windows installer targeted a custom location with a non-protected path that could be modified by an unprivileged user, introducing potential for unauthorized file system writes. This vulnerability, CVE-2024-10228, was fixed in Vagrant VMWare Utility 1.0.23"}, {"lang": "es", "value": "El instalador de Windows de Vagrant VMWare Utility apuntaba a una ubicaci\u00f3n personalizada con una ruta no protegida que pod\u00eda ser modificada por un usuario sin privilegios, lo que generaba la posibilidad de escrituras no autorizadas en el sistema de archivos. Esta vulnerabilidad, CVE-2024-10228, se corrigi\u00f3 en Vagrant VMWare Utility 1.0.23"}], "lastModified": "2024-11-07T17:12:45.750", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:vagrant_vmware_utility:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "4537265A-3F2C-46ED-9B06-ED63987A6119", "versionEndExcluding": "1.0.23"}], "operator": "OR"}]}], "sourceIdentifier": "security@hashicorp.com"}