CVE-2024-24810: Untrusted Search Path

February 8, 2024

WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. The .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges. This impacts any installer built with the WiX installer framework. This issue has been patched in version 4.0.4.

References

github.com/advisories/GHSA-7wh2-wxc7-9ph5
github.com/wixtoolset/issues/security/advisories/GHSA-7wh2-wxc7-9ph5
github.com/wixtoolset/wix/commit/fec38b6461d0551339139a2fe52403a61942adc0
nvd.nist.gov/vuln/detail/CVE-2024-24810

Code Behaviors & Features

Detect and mitigate CVE-2024-24810 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →