{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-29187", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-18T17:07:00.094Z", "datePublished": "2024-03-24T19:38:38.140Z", "dateUpdated": "2024-08-13T14:28:49.838Z"}, "containers": {"cna": {"title": "WiX based installers are vulnerable to binary hijack when run as SYSTEM", "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "lang": "en", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r"}, {"name": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7", "tags": ["x_refsource_MISC"], "url": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7"}, {"name": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9", "tags": ["x_refsource_MISC"], "url": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9"}], "affected": [{"vendor": "wixtoolset", "product": "issues", "versions": [{"version": "< 3.14.1", "status": "affected"}, {"version": ">= 4.0.0, < 4.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-24T19:46:06.327Z"}, "descriptions": [{"lang": "en", "value": "WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\\Windows\\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5."}], "source": {"advisory": "GHSA-rf39-3f98-xr7r", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:54.048Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r"}, {"name": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7"}, {"name": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9"}]}, {"affected": [{"vendor": "wixtoolset_project", "product": "burn", "cpes": ["cpe:2.3:a:wixtoolset_project:burn:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "3.14.1", "versionType": "custom"}, {"version": "4.0.0", "status": "affected", "lessThan": "4.0.5", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-13T14:26:34.154132Z", "id": "CVE-2024-29187", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-13T14:28:49.838Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r", "name": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7", "name": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9", "name": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:54.048Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-29187", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-13T14:26:34.154132Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:wixtoolset_project:burn:*:*:*:*:*:*:*:*"], "vendor": "wixtoolset_project", "product": "burn", "versions": [{"status": "affected", "version": "0", "lessThan": "3.14.1", "versionType": "custom"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.5", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-13T14:28:33.809Z"}}], "cna": {"title": "WiX based installers are vulnerable to binary hijack when run as SYSTEM", "source": {"advisory": "GHSA-rf39-3f98-xr7r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "wixtoolset", "product": "issues", "versions": [{"status": "affected", "version": "< 3.14.1"}, {"status": "affected", "version": ">= 4.0.0, < 4.0.5"}]}], "references": [{"url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r", "name": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7", "name": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9", "name": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\\Windows\\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-732", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-24T19:46:06.327Z"}}}, "cveMetadata": {"cveId": "CVE-2024-29187", "state": "PUBLISHED", "dateUpdated": "2024-08-13T14:28:49.838Z", "dateReserved": "2024-03-18T17:07:00.094Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-24T19:38:38.140Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\\Windows\\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5."}, {"lang": "es", "value": "El conjunto de herramientas WiX permite a los desarrolladores crear instaladores para Windows Installer, el motor de instalaci\u00f3n de Windows. Cuando un paquete se ejecuta como usuario del SYSTEMA, Burn usa GetTempPathW que apunta a un directorio inseguro C:\\Windows\\Temp para colocar y cargar m\u00faltiples archivos binarios. Los usuarios est\u00e1ndar pueden secuestrar el binario antes de que se cargue en la aplicaci\u00f3n, lo que resulta en una elevaci\u00f3n de privilegios. Esta vulnerabilidad se solucion\u00f3 en 3.14.1 y 4.0.5."}], "id": "CVE-2024-29187", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-03-24T20:15:08.003", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r"}, {"source": "security-advisories@github.com", "url": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7"}, {"source": "security-advisories@github.com", "url": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}