CVE-2024-29187

WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5.

CVSS v3 7.3 HIGH

7.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.3 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r
https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7
https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9
https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r
https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7
https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9

Configurations

No configuration.

History

No history.

Information

Published : 2024-03-24 20:15

Updated : 2024-11-21 09:07

NVD link : CVE-2024-29187

Mitre link : CVE-2024-29187

CVE.ORG link : CVE-2024-29187

JSON object : View

Products Affected

No product.

CWE

CWE-732

Incorrect Permission Assignment for Critical Resource

{"id": "CVE-2024-29187", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.3}]}, "published": "2024-03-24T20:15:08.003", "references": [{"url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r", "source": "security-advisories@github.com"}, {"url": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7", "source": "security-advisories@github.com"}, {"url": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9", "source": "security-advisories@github.com"}, {"url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-732"}]}], "descriptions": [{"lang": "en", "value": "WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\\Windows\\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5."}, {"lang": "es", "value": "El conjunto de herramientas WiX permite a los desarrolladores crear instaladores para Windows Installer, el motor de instalaci\u00f3n de Windows. Cuando un paquete se ejecuta como usuario del SYSTEMA, Burn usa GetTempPathW que apunta a un directorio inseguro C:\\Windows\\Temp para colocar y cargar m\u00faltiples archivos binarios. Los usuarios est\u00e1ndar pueden secuestrar el binario antes de que se cargue en la aplicaci\u00f3n, lo que resulta en una elevaci\u00f3n de privilegios. Esta vulnerabilidad se solucion\u00f3 en 3.14.1 y 4.0.5."}], "lastModified": "2024-11-21T09:07:45.380", "sourceIdentifier": "security-advisories@github.com"}