CVE-2024-29187 HIGH

CVE-2024-29187: WiX based installers are vulnerable to binary hijack when run as SYSTEM

Vendor Wixtoolset
Product issues
Weakness CWE-732
Published March 24, 2024
Last update August 13, 2024

CVSS base score

7.3/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5.

Key dates

02Disclosure timeline

March 24, 2024 CVE published
August 13, 2024 Record updated