CVE-2024-29188 - Vulnerability Details

Source	ID	Title
EUVD	EUVD-2024-0956	WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. The custom action behind WiX's `RemoveFolderEx` functionality could allow a standard user to delete protected directories. `RemoveFolderEx` deletes an entire directory tree during installation or uninstallation. It does so by recursing every subdirectory starting at a specified directory and adding each subdirectory to the list of directories Windows Installer should delete. If the setup author instructed `RemoveFolderEx` to delete a per-user folder from a per-machine installer, an attacker could create a directory junction in that per-user folder pointing to a per-machine, protected directory. Windows Installer, when executing the per-machine installer after approval by an administrator, would delete the target of the directory junction. This vulnerability is fixed in 3.14.1 and 4.0.5.
Github GHSA	GHSA-jx4p-m4wm-vvjg	Malicious directory junction can cause WiX RemoveFoldersEx to possibly delete elevated files

Link	Providers
https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg
https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742
https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-29188", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-18T17:07:00.094Z", "datePublished": "2024-03-24T19:46:25.875Z", "dateUpdated": "2024-08-02T01:10:54.532Z"}, "containers": {"cna": {"title": "Malicious directory junction can cause WiX RemoveFoldersEx to possibly delete elevated files", "problemTypes": [{"descriptions": [{"cweId": "CWE-59", "lang": "en", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg"}, {"name": "https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742", "tags": ["x_refsource_MISC"], "url": "https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742"}, {"name": "https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a", "tags": ["x_refsource_MISC"], "url": "https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a"}], "affected": [{"vendor": "wixtoolset", "product": "issues", "versions": [{"version": "< 3.14.1", "status": "affected"}, {"version": ">= 4.0.0, < 4.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-24T19:46:25.875Z"}, "descriptions": [{"lang": "en", "value": "WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. The custom action behind WiX's `RemoveFolderEx` functionality could allow a standard user to delete protected directories. `RemoveFolderEx` deletes an entire directory tree during installation or uninstallation. It does so by recursing every subdirectory starting at a specified directory and adding each subdirectory to the list of directories Windows Installer should delete. If the setup author instructed `RemoveFolderEx` to delete a per-user folder from a per-machine installer, an attacker could create a directory junction in that per-user folder pointing to a per-machine, protected directory. Windows Installer, when executing the per-machine installer after approval by an administrator, would delete the target of the directory junction. This vulnerability is fixed in 3.14.1 and 4.0.5."}], "source": {"advisory": "GHSA-jx4p-m4wm-vvjg", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-29188", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-28T18:20:54.492822Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:57:33.971Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:54.532Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg"}, {"name": "https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742"}, {"name": "https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg", "name": "https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742", "name": "https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a", "name": "https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:54.532Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-29188", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-28T18:20:54.492822Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:19.859Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Malicious directory junction can cause WiX RemoveFoldersEx to possibly delete elevated files", "source": {"advisory": "GHSA-jx4p-m4wm-vvjg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "wixtoolset", "product": "issues", "versions": [{"status": "affected", "version": "< 3.14.1"}, {"status": "affected", "version": ">= 4.0.0, < 4.0.5"}]}], "references": [{"url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg", "name": "https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742", "name": "https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a", "name": "https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. The custom action behind WiX's `RemoveFolderEx` functionality could allow a standard user to delete protected directories. `RemoveFolderEx` deletes an entire directory tree during installation or uninstallation. It does so by recursing every subdirectory starting at a specified directory and adding each subdirectory to the list of directories Windows Installer should delete. If the setup author instructed `RemoveFolderEx` to delete a per-user folder from a per-machine installer, an attacker could create a directory junction in that per-user folder pointing to a per-machine, protected directory. Windows Installer, when executing the per-machine installer after approval by an administrator, would delete the target of the directory junction. This vulnerability is fixed in 3.14.1 and 4.0.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-59", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-24T19:46:25.875Z"}}}, "cveMetadata": {"cveId": "CVE-2024-29188", "state": "PUBLISHED", "dateUpdated": "2024-08-02T01:10:54.532Z", "dateReserved": "2024-03-18T17:07:00.094Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-24T19:46:25.875Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. The custom action behind WiX's `RemoveFolderEx` functionality could allow a standard user to delete protected directories. `RemoveFolderEx` deletes an entire directory tree during installation or uninstallation. It does so by recursing every subdirectory starting at a specified directory and adding each subdirectory to the list of directories Windows Installer should delete. If the setup author instructed `RemoveFolderEx` to delete a per-user folder from a per-machine installer, an attacker could create a directory junction in that per-user folder pointing to a per-machine, protected directory. Windows Installer, when executing the per-machine installer after approval by an administrator, would delete the target of the directory junction. This vulnerability is fixed in 3.14.1 and 4.0.5."}, {"lang": "es", "value": "El conjunto de herramientas WiX permite a los desarrolladores crear instaladores para Windows Installer, el motor de instalaci\u00f3n de Windows. La acci\u00f3n personalizada detr\u00e1s de la funcionalidad `RemoveFolderEx` de WiX podr\u00eda permitir a un usuario est\u00e1ndar eliminar directorios protegidos. `RemoveFolderEx` elimina un \u00e1rbol de directorios completo durante la instalaci\u00f3n o desinstalaci\u00f3n. Lo hace recurriendo a cada subdirectorio comenzando en un directorio espec\u00edfico y agregando cada subdirectorio a la lista de directorios que Windows Installer debe eliminar. Si el autor de la instalaci\u00f3n indic\u00f3 a `RemoveFolderEx` que eliminara una carpeta por usuario de un instalador por m\u00e1quina, un atacante podr\u00eda crear una uni\u00f3n de directorios en esa carpeta por usuario que apunte a un directorio protegido por m\u00e1quina. Windows Installer, al ejecutar el instalador por m\u00e1quina despu\u00e9s de la aprobaci\u00f3n de un administrador, eliminar\u00eda el destino de la uni\u00f3n del directorio. Esta vulnerabilidad se solucion\u00f3 en 3.14.1 y 4.0.5."}], "id": "CVE-2024-29188", "lastModified": "2024-11-21T09:07:45.513", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.9, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-03-24T20:15:08.243", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg"}, {"source": "security-advisories@github.com", "url": "https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742"}, {"source": "security-advisories@github.com", "url": "https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-jx4p-m4wm-vvjg"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object