CVE-2024-29188

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-29188

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-29188.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-29188

Aliases

GHSA-jx4p-m4wm-vvjg

Published

2024-03-24T19:46:25.875Z

Modified

2025-12-02T20:37:00.593589Z

Severity

7.9 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H CVSS Calculator

Summary

Malicious directory junction can cause WiX RemoveFoldersEx to possibly delete elevated files

Details

WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. The custom action behind WiX's RemoveFolderEx functionality could allow a standard user to delete protected directories. RemoveFolderEx deletes an entire directory tree during installation or uninstallation. It does so by recursing every subdirectory starting at a specified directory and adding each subdirectory to the list of directories Windows Installer should delete. If the setup author instructed RemoveFolderEx to delete a per-user folder from a per-machine installer, an attacker could create a directory junction in that per-user folder pointing to a per-machine, protected directory. Windows Installer, when executing the per-machine installer after approval by an administrator, would delete the target of the directory junction. This vulnerability is fixed in 3.14.1 and 4.0.5.

Database specific

{
    "cwe_ids": [
        "CWE-59"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/29xxx/CVE-2024-29188.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/wixtoolset/wix

Affected ranges

Type: GIT
Repo: https://github.com/wixtoolset/wix
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

2e5960b575881567a8807e6b8b9c513138b19742

Database specific

vanir_signatures

[
    {
        "id": "CVE-2024-29188-3c9d8a4e",
        "source": "https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742",
        "signature_type": "Line",
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "12167210011196546278955702443042459595",
                "212815768888917157328275995063511215543",
                "262360907396483902333948926594438991859",
                "123568908231580348393599730054889329806",
                "248970759541077859269682561881081196538",
                "79948356566962686282965687718817036977",
                "206692363494623044553551604119053240060",
                "310907125740997366349245302936256045271"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "src/ext/Util/ca/RemoveFoldersEx.cpp"
        }
    },
    {
        "id": "CVE-2024-29188-7a292542",
        "source": "https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742",
        "signature_type": "Line",
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "315398171143457755832727327284327518902",
                "57433646776359551242018896393001631255",
                "153390547766836153243384045211714248960",
                "204722630655963928047106757089072424351"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "src/dtf/SfxCA/SfxUtil.cpp"
        }
    },
    {
        "id": "CVE-2024-29188-ec4e528f",
        "source": "https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742",
        "signature_type": "Function",
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "function_hash": "42402641038884878137330073238233142554",
            "length": 769.0
        },
        "target": {
            "function": "DeleteDirectory",
            "file": "src/dtf/SfxCA/SfxUtil.cpp"
        }
    },
    {
        "id": "CVE-2024-29188-f7e4fe74",
        "source": "https://github.com/wixtoolset/wix/commit/2e5960b575881567a8807e6b8b9c513138b19742",
        "signature_type": "Function",
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "function_hash": "125636100461973275335596632368738494896",
            "length": 2819.0
        },
        "target": {
            "function": "RecursePath",
            "file": "src/ext/Util/ca/RemoveFoldersEx.cpp"
        }
    }
]

Git / github.com/wixtoolset/wix3

Affected ranges

Type: GIT
Repo: https://github.com/wixtoolset/wix3
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

93eeb5f6835776694021f66d4226c262c67d487a

Affected versions

Other

wix3101rtm

wix3102rtm

wix3103rtm

wix310rtm

wix311rtm

wix314rtm

wix38rtm

wix39rtm

Database specific

vanir_signatures

[
    {
        "id": "CVE-2024-29188-4b4af6af",
        "source": "https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a",
        "signature_type": "Line",
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "330081163568180098271931014562006408202",
                "67559101698235371247063683629216861769",
                "273739843084938211800361670883289621713",
                "148327883292450560052301475267621766056",
                "98974881564231501315083202825516671299",
                "327061149520605942937828174320452813060",
                "184074362942257707176474370884531980034",
                "105330465127032992712314238713430570689"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "src/ext/ca/wixca/dll/RemoveFoldersEx.cpp"
        }
    },
    {
        "id": "CVE-2024-29188-551cbb09",
        "source": "https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a",
        "signature_type": "Function",
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "function_hash": "42402641038884878137330073238233142554",
            "length": 769.0
        },
        "target": {
            "function": "DeleteDirectory",
            "file": "src/DTF/Tools/SfxCA/SfxUtil.cpp"
        }
    },
    {
        "id": "CVE-2024-29188-aa87b978",
        "source": "https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a",
        "signature_type": "Function",
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "function_hash": "199099740742973738733939807511981395287",
            "length": 2465.0
        },
        "target": {
            "function": "RecursePath",
            "file": "src/ext/ca/wixca/dll/RemoveFoldersEx.cpp"
        }
    },
    {
        "id": "CVE-2024-29188-ef5ee984",
        "source": "https://github.com/wixtoolset/wix3/commit/93eeb5f6835776694021f66d4226c262c67d487a",
        "signature_type": "Line",
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "315398171143457755832727327284327518902",
                "57433646776359551242018896393001631255",
                "153390547766836153243384045211714248960",
                "204722630655963928047106757089072424351"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "src/DTF/Tools/SfxCA/SfxUtil.cpp"
        }
    }
]