Home > Vulnerability Database > CVE-2024-29187

Mend.io Vulnerability Database

CVE-2024-29187

Good to know:

Date: March 24, 2024

WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5.

Language: C++

Severity Score

7.3

Related Resources (5)

Url: https://github.com/wixtoolset/wix/commit/75a8c75d4e02ea219008dc5af7d03869291d61f7

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-29187

Url: https://github.com/wixtoolset/issues/security/advisories/GHSA-rf39-3f98-xr7r

Url: https://github.com/wixtoolset/wix3/commit/6d372e5169f1a334a395cdf496443bc0732098e9

Url: https://www.mend.io/vulnerability-database/CVE-2024-29187

Severity Score

7.3

Weakness Type (CWE)

Incorrect Permission Assignment for Critical Resource

CWE-732

Top Fix

Upgrade Version

Upgrade to version v4.0.5,wix3141rtm

Learn More

CVSS v3.1

Base Score:	7.3
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-29187

Good to know:

Date: March 24, 2024

Language: C++

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?