CVE-2019-16511 — Path Traversal in WIX Toolset

CWE-22 — Path Traversal2 documents2 sources

Severity

5.5MEDIUMNVD

EPSS

4.6%

top 10.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Firegiant WIX Toolset

Timeline

PublishedSep 19

Latest updateMay 24

Description

An issue was discovered in DTF in FireGiant WiX Toolset before 3.11.2. Microsoft.Deployment.Compression.Cab.dll and Microsoft.Deployment.Compression.Zip.dll allow directory traversal during CAB or ZIP archive extraction, because the full name of an archive file (even with a ../ sequence) is concatenated with the destination path.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages1 packages

▶NVDfiregiant/wix_toolset< 3.11.2

Patches

Patch: github.com ↗Patch: www.firegiant.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-p4px-wc6m-r3hr: An issue was discovered in DTF in FireGiant WiX Toolset before 3↗2022-05-24

▶