Japan Vulnerability NotesJVN:29902403JVN#29902403: Installers generated by Squirrel.Windows may insecurely load Dynamic Link Libraries
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
26.7%
Squirrel.Windows is both a toolset and a library that provides installation and update functionality for Windows desktop applications.
Installers generated by Squirrel.Windows contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Impact
Arbitrary code may be executed with the privilege of the user invoking the installer.
Solution
As of December 21, 2022, the fixed version is not provided.
According to the developer, there are no plans to release the fixed version soon, but the following fix was committed to ‘develop’ branch of the GitHub repository on June 1, 2021.
- Better delay load urlmon and move official build to GH Actions #1807
You should create Squirrel.Windows from the latest source code from ‘develop’ branch and use it to generate an installer.
Products Affected
- Installers generated by Squirrel.Windows 2.0.1 and earlier
Related
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
26.7%