CVE-2023-5834 — Insecure Operation on Windows Junction / Mount Point in Vagrant

CWE-1386 — Insecure Operation on Windows Junction / Mount Point CWE-59 — Link Following3 documents3 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 75.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Vagrant Github.com Hashicorp Vagrant

Timeline

PublishedOct 27

Latest updateOct 28

Description

HashiCorp Vagrant's Windows installer targeted a custom location with a non-protected path that could be junctioned, introducing potential for unauthorized file system writes. Fixed in Vagrant 2.4.0.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5hashicorp/vagrant* — 2.4.0

▶NVDhashicorp/vagrant< 2.4.0

▶Gogithub.com/hashicorp_vagrant< 2.4.0

🔴Vulnerability Details

GHSA

HashiCorp Vagrant Insecure Operation on Windows Junction / Mount Point vulnerability↗2023-10-28

▶

OSV

HashiCorp Vagrant Insecure Operation on Windows Junction / Mount Point vulnerability↗2023-10-28

▶