Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Briefcase: Windows MSI Installer Privilege Escalation via Insecure Directory Permissions
Vulnerability Description
Briefcase is a tool for converting a Python project into a standalone native application. Starting in version 0.3.0 and prior to version 0.3.26, if a developer uses Briefcase to produce an Windows MSI installer for a project, and that project is installed for All Users (i.e., per-machine scope), the installation process creates an directory that inherits all the permissions of the parent directory. Depending on the location chosen by the installing user, this may allow a low privilege but authenticated user to replace or modify the binaries installed by the application. If an administrator then runs the altered binary, the binary will run with elevated privileges. The problem is caused by the template used to generate the WXS file for Windows projects. It was fixed in the templates used in Briefcase 0.3.26, 0.4.0, and 0.4.1. Re-running `briefcase create` on your Briefcase project will result in the updated templates being used. As a workaround, the patch can be added to any existing Briefcase .wxs file generated by Briefcase 0.3.24 or later.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Vulnerability Type
关键资源的不正确权限授予
Vulnerability Title
Briefcase Windows Visual Studio Template 安全漏洞
Vulnerability Description
Briefcase Windows Visual Studio Template是BeeWare开源的一个用于生成Windows应用安装包的Visual Studio项目模板。 Briefcase Windows Visual Studio Template 0.3.26之前版本存在安全漏洞,该漏洞源于Windows MSI安装程序模板创建权限不当的目录,可能导致权限提升。
CVSS Information
N/A
Vulnerability Type
N/A