CVE-2023-37378
- Source
- https://cve.org/CVERecord?id=CVE-2023-37378
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-37378.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-37378
- Downstream
- Published
- 2023-07-03T20:15:09.620Z
- Modified
- 2026-04-16T00:10:21.713793504Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Nullsoft Scriptable Install System (NSIS) before 3.09 mishandles access control for an uninstaller directory.
- Database specific
{ "unresolved_ranges": [ { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "3.09" } ], "cpe": "cpe:2.3:a:nullsoft:nullsoft_scriptable_install_system:*:*:*:*:*:*:*:*" }, { "source": "DESCRIPTION", "extracted_events": [ { "fixed": "3.09" } ] } ] }- References
-
- https://lists.debian.org/debian-lts-announce/2024/09/msg00013.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A65FBUMHLZ7GBV3VDKUB5EK3A7X2UUWK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OZPAAU57IA3NP6UOUXNBUQBAYK3JB2IM/
- https://lists.debian.org/debian-lts-announce/2023/07/msg00005.html
- https://nsis.sourceforge.io/Docs/AppendixF.html#v3.09
- https://sourceforge.net/p/nsis/news/2023/07/nsis-309-released/
- http://sf.net/p/nsis/bugs/1296
- https://github.com/kichik/nsis/commit/281e2851fe669d10e0650fc89d0e7fb74a598967
- https://github.com/kichik/nsis/commit/409b5841479c44fbf33a6ba97c1146e46f965467
- https://github.com/kichik/nsis/commit/c40cf78994e74a1a3a381a850c996b251e3277c0
Affected packages
Git / github.com/nsis-dev/nsis
Affected versions
Other
v20
v201
v202
v203
v204
v205
v206
v207
v207b0
v208
v20b1
v20b2
v20b3
v20b4
v20rc1
v20rc2
v20rc3
v20rc4
v210
v211
v212
v213
v214
v215
v216
v217
v218
v219
v220
v221
v222
v223
v224
v225
v226
v227
v228
v229
v230
v231
v232
v233
v234
v235
v236
v237
v238
v239
v240
v241
v242
v243
v244
v245
v246
v30
v301
v3021
v303
v304
v305
v306
v3061
v307
v308
v30a1
v30a2
v30b0
v30b1
v30b2
v30b3
v30rc1
v30rc2
Database specific
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-37378.json"
vanir_signatures
[
{
"target": {
"file": "Source/exehead/util.c"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"source": "https://github.com/nsis-dev/nsis/commit/409b5841479c44fbf33a6ba97c1146e46f965467",
"id": "CVE-2023-37378-1f336d60",
"digest": {
"threshold": 0.9,
"line_hashes": [
"324958057323643130586345113791539764096",
"117616857455475812510142102486678823590",
"324850355286303962528828379944142614501",
"94954054456980137786801492744165139778"
]
}
},
{
"target": {
"function": "CreateRestrictedDirectory",
"file": "Source/exehead/util.c"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/nsis-dev/nsis/commit/281e2851fe669d10e0650fc89d0e7fb74a598967",
"id": "CVE-2023-37378-3ed50a8d",
"digest": {
"function_hash": "245933394105413283240663427846959844977",
"length": 522.0
}
},
{
"source": "https://github.com/nsis-dev/nsis/commit/281e2851fe669d10e0650fc89d0e7fb74a598967",
"signature_version": "v1",
"target": {
"file": "Source/exehead/util.c"
},
"signature_type": "Line",
"deprecated": false,
"id": "CVE-2023-37378-66428610",
"digest": {
"threshold": 0.9,
"line_hashes": [
"326141712043076416526136596523430540743",
"202982482643067989298280844419095220382",
"24263019519671736427181619813841818864",
"189704634293646577263530309866634631379",
"3146274400194407823793192805166777700",
"322755437027658954649796029100613919458",
"85661416849814806130203934723416872477",
"51215092847227404712084550922762011336",
"313717456832945400106721311441839891853",
"57510050877321720187454097656411127526",
"98686635033574899021195805781878172080"
]
}
},
{
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/nsis-dev/nsis/commit/281e2851fe669d10e0650fc89d0e7fb74a598967",
"signature_type": "Line",
"target": {
"file": "Source/build.cpp"
},
"id": "CVE-2023-37378-9a95f4f9",
"digest": {
"threshold": 0.9,
"line_hashes": [
"330747107025817459460812397665623240370",
"192542784115639272777968930244041434538",
"28918449838761000964390576299328945104",
"140309671072166091083619161475956417937",
"192913407631971418116817235182798046963"
]
}
},
{
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/nsis-dev/nsis/commit/281e2851fe669d10e0650fc89d0e7fb74a598967",
"signature_type": "Function",
"target": {
"function": "NSISWinMainNOCRT",
"file": "Source/exehead/Main.c"
},
"id": "CVE-2023-37378-a9a8ad41",
"digest": {
"function_hash": "268958813105703448559889959580320807284",
"length": 7120.0
}
},
{
"target": {
"function": "CEXEBuild::AddStandardStrings",
"file": "Source/build.cpp"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/nsis-dev/nsis/commit/281e2851fe669d10e0650fc89d0e7fb74a598967",
"id": "CVE-2023-37378-ebfbcc44",
"digest": {
"function_hash": "216184667392552618939447548904334110197",
"length": 496.0
}
},
{
"target": {
"file": "Source/exehead/Main.c"
},
"signature_version": "v1",
"source": "https://github.com/nsis-dev/nsis/commit/281e2851fe669d10e0650fc89d0e7fb74a598967",
"signature_type": "Line",
"deprecated": false,
"id": "CVE-2023-37378-f96d0ac5",
"digest": {
"threshold": 0.9,
"line_hashes": [
"60543037167232676067549862839017220593",
"76046088486453568946336336722720563975",
"275640915613554648152563760476393195678",
"172676567540280631963649980876456781514",
"4289035430264387161276554649485414837",
"291520104958682271676366889532797284590",
"162135200464859797397507481780335903973",
"85226076787956403500313454633934366283",
"233432201394001661051155709591834078895",
"313874196478770005358584940841620236403",
"160653053246226962671467081784280584519",
"221222718719831732657784172275636846018",
"247806732783732742629530897144882437358",
"200250014606682383813935174808415964487",
"150533182142403155017917992531036182334",
"139963057636399141210237298990742456137",
"44501027052060518232755270189537024105",
"113071475526878485971776268039702823427",
"122864058405360369512309200936464639512",
"223179574942757062959591364325928774728",
"98032065988930303444066284287075984383",
"164950581094023096263630925339827005326",
"279948318976633098179475554496007811596",
"67209035163701503300638619594651603987",
"229007476203784657544402366885108667631",
"179549671273348806821548131167239526405",
"303993718806375606604641388294266553298",
"201473867717459035062995724688689687325",
"119394310189101375440086207481608574445",
"33111018883604039292587137378230719654",
"173825978292864369792481519406267853609",
"237570166645348850479640077180332630435",
"272013930704657037434137343990911428054",
"75493550936600032105303780860033650504",
"225068793697838432106127259804466543092",
"260275924475928678392964062323325008452",
"65533719156362105250301084449697781109",
"336838171282105654712498653543023844572",
"163278874613214724575856359767770856499",
"111725296115406526554234627055903835505",
"69153807055451316838089752882424565985",
"117170084492708316349714162838958332660"
]
}
}
]
vanir_signatures_modified
"2026-04-12T08:32:56Z"