Common Weakness Enumeration

CWE-426

Allowed-with-Review

Untrusted Search Path

Abstraction: Base · Status: Stable

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

895 vulnerabilities reference this CWE, most recent first.

GHSA-6QQ2-69C3-WR79

Vulnerability from github – Published: 2022-05-17 02:40 – Updated: 2022-05-17 02:40
VLAI
Details

Untrusted search path vulnerability in The Public Certification Service for Individuals "The JPKI user's software (for Windows 7 and later)" Ver3.0.1 and earlier, The Public Certification Service for Individuals "The JPKI user's software (for Windows Vista)" Ver3.0.1 and earlier and The Public Certification Service for Individuals "The JPKI user's software" Ver2.6 and earlier allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-4902"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-09T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "Untrusted search path vulnerability in The Public Certification Service for Individuals \"The JPKI user\u0027s software (for Windows 7 and later)\" Ver3.0.1 and earlier, The Public Certification Service for Individuals \"The JPKI user\u0027s software (for Windows Vista)\" Ver3.0.1 and earlier and The Public Certification Service for Individuals \"The JPKI user\u0027s software\" Ver2.6 and earlier allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.",
  "id": "GHSA-6qq2-69c3-wr79",
  "modified": "2022-05-17T02:40:32Z",
  "published": "2022-05-17T02:40:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4902"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN91002412/index.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/94087"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6RRF-P74P-P7Q8

Vulnerability from github – Published: 2025-09-26 15:30 – Updated: 2025-09-29 15:30
VLAI
Details

In Seagate Toolkit on Windows a vulnerability exists in the Toolkit Installer prior to versions 2.35.0.6 where it attempts to load DLLs from the current working directory without validating their origin or integrity. This behavior can be exploited by placing a malicious DLL in the same directory as the installer executable, leading to arbitrary code execution with the privileges of the user running the installer. The issue stems from the use of insecure DLL loading practices, such as relying on relative paths or failing to specify fully qualified paths when invoking system libraries.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-26T13:15:41Z",
    "severity": "HIGH"
  },
  "details": "In Seagate Toolkit on Windows a\u00a0vulnerability exists in the Toolkit Installer prior to\u00a0versions 2.35.0.6 where it attempts to load DLLs from the current working directory without validating their origin or integrity. This behavior can be exploited by placing a malicious DLL in the same directory as the installer executable, leading to arbitrary code execution with the privileges of the user running the installer. The issue stems from the use of insecure DLL loading practices, such as relying on relative paths or failing to specify fully qualified paths when invoking system libraries.",
  "id": "GHSA-6rrf-p74p-p7q8",
  "modified": "2025-09-29T15:30:35Z",
  "published": "2025-09-26T15:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9267"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Tiger3080/CVE-2025-9267"
    },
    {
      "type": "WEB",
      "url": "https://www.seagate.com/product-security/#security-advisories"
    },
    {
      "type": "WEB",
      "url": "https://www.seagate.com/support/software/toolkit"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6RW3-3WHW-JVJJ

Vulnerability from github – Published: 2022-04-22 20:13 – Updated: 2022-04-22 20:13
VLAI
Summary
Git LFS can execute a binary from the current directory on Windows
Details

Impact

On Windows, if Git LFS operates on a malicious repository with a ..exe file as well as a file named git.exe, and git.exe is not found in PATH, the ..exe program will be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems.

Similarly, if the malicious repository contains files named ..exe and cygpath.exe, and cygpath.exe is not found in PATH, the ..exe program will be executed when certain Git LFS commands are run.

More generally, if the current working directory contains any file with a base name of . and a file extension from PATHEXT (except .bat and .cmd), and also contains another file with the same base name as a program Git LFS intends to execute (such as git, cygpath, or uname) and any file extension from PATHEXT (including .bat and .cmd), then, on Windows, when Git LFS attempts to execute the intended program the ..exe, ..com, etc., file will be executed instead, but only if the intended program is not found in any directory listed in PATH.

The vulnerability occurs because when Git LFS detects that the program it intends to run does not exist in any directory listed in PATH then Git LFS passes an empty string as the executable file path to the Go os/exec package, which contains a bug such that, on Windows, it prepends the name of the current working directory (i.e., .) to the empty string without adding a path separator, and as a result searches in that directory for a file with the base name . combined with any file extension from PATHEXT, executing the first one it finds.

(The reason ..bat and ..cmd files are not executed in the same manner is that, although the Go os/exec package tries to execute them just as it does a ..exe file, the Microsoft Win32 API CreateProcess() family of functions have an undocumented feature in that they apparently recognize when a caller is attempting to execute a batch script file and instead run the cmd.exe command interpreter, passing the full set of command line arguments as parameters. These are unchanged from the command line arguments set by Git LFS, and as such, the intended program's name is the first, resulting in a command line like cmd.exe /c git, which then fails.)

Git LFS has resolved this vulnerability by always reporting an error when a program is not found in any directory listed in PATH rather than passing an empty string to the Go os/exec package in this case.

The bug in the Go os/exec package has been reported to the Go project and is expected to be patched after this security advisory is published.

Patches

The problem was introduced in v2.12.1 and is patched in v3.1.3 and v3.1.4. Users of affected versions should upgrade to v3.1.4.

Workarounds

There are no known workarounds at this time.

References

  • https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6rw3-3whw-jvjj
  • https://nvd.nist.gov/vuln/detail/CVE-2022-24826
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24826
  • https://github.com/git-lfs/git-lfs/releases/tag/v3.1.4
  • git-lfs/git-lfs@762ccd4a49

For more information

If you have any questions or comments about this advisory: * For general questions, start a discussion in the Git LFS discussion forum. * For reports of additional vulnerabilities, please follow the Git LFS security reporting policy.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/git-lfs/git-lfs/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/git-lfs/git-lfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.12.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24826"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-22T20:13:21Z",
    "nvd_published_at": "2022-04-20T00:16:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nOn Windows, if Git LFS operates on a malicious repository with a `..exe` file as well as a file named `git.exe`, and `git.exe` is not found in `PATH`, the `..exe` program will be executed, permitting the attacker to execute arbitrary code.  This does not affect Unix systems.\n\nSimilarly, if the malicious repository contains files named `..exe` and `cygpath.exe`, and `cygpath.exe` is not found in `PATH`, the `..exe` program will be executed when certain Git LFS commands are run.\n\nMore generally, if the current working directory contains any file with a base name of `.` and a file extension from `PATHEXT` (except `.bat` and `.cmd`), and also contains another file with the same base name as a program Git LFS intends to execute (such as `git`, `cygpath`, or `uname`) and any file extension from `PATHEXT` (including `.bat` and `.cmd`), then, on Windows, when Git LFS attempts to execute the intended program the `..exe`, `..com`, etc., file will be executed instead, but only if the intended program is not found in any directory listed in `PATH`.\n\nThe vulnerability occurs because when Git LFS detects that the program it intends to run does not exist in any directory listed in `PATH` then Git LFS passes an empty string as the executable file path to the Go `os/exec` package, which contains a bug such that, on Windows, it prepends the name of the current working directory (i.e., `.`) to the empty string without adding a path separator, and as a result searches in that directory for a file with the base name `.` combined with any file extension from `PATHEXT`, executing the first one it finds.\n\n(The reason `..bat` and `..cmd` files are not executed in the same manner is that, although the Go `os/exec` package tries to execute them just as it does a `..exe` file, the Microsoft Win32 API `CreateProcess()` family of functions have an undocumented feature in that they apparently recognize when a caller is attempting to execute a batch script file and instead run the `cmd.exe` command interpreter, passing the full set of command line arguments as parameters.  These are unchanged from the command line arguments set by Git LFS, and as such, the intended program\u0027s name is the first, resulting in a command line like `cmd.exe /c git`, which then fails.)\n\nGit LFS has resolved this vulnerability by always reporting an error when a program is not found in any directory listed in `PATH` rather than passing an empty string to the Go `os/exec` package in this case.\n\nThe bug in the Go `os/exec` package has been reported to the Go project and is expected to be patched after this security advisory is published.\n\n### Patches\nThe problem was introduced in v2.12.1 and is patched in v3.1.3 and v3.1.4.  Users of affected versions should upgrade to v3.1.4.\n\n### Workarounds\nThere are no known workarounds at this time.\n\n### References\n* https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6rw3-3whw-jvjj\n* https://nvd.nist.gov/vuln/detail/CVE-2022-24826\n* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24826\n* https://github.com/git-lfs/git-lfs/releases/tag/v3.1.4\n* [git-lfs/git-lfs@762ccd4a49](https://github.com/git-lfs/git-lfs/commit/762ccd4a498f5c17723b91d56b9304434ada5540)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* For general questions, start a discussion in the Git LFS [discussion forum](https://github.com/git-lfs/git-lfs/discussions).\n* For reports of additional vulnerabilities, please follow the Git LFS [security reporting policy](https://github.com/git-lfs/git-lfs/blob/main/SECURITY.md).",
  "id": "GHSA-6rw3-3whw-jvjj",
  "modified": "2022-04-22T20:13:21Z",
  "published": "2022-04-22T20:13:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6rw3-3whw-jvjj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24826"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/git-lfs/git-lfs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Git LFS can execute a binary from the current directory on Windows"
}

GHSA-6RXW-63XM-9M5Q

Vulnerability from github – Published: 2023-04-04 15:30 – Updated: 2023-04-12 15:30
VLAI
Details

An issue found in Wondershare Technology Co., Ltd DemoCreator v.6.0.0 allows a remote attacker to execute arbitrary commands via the democreator_setup_full7743.exe file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27762"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-04T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue found in Wondershare Technology Co., Ltd DemoCreator v.6.0.0 allows a remote attacker to execute arbitrary commands via the democreator_setup_full7743.exe file.",
  "id": "GHSA-6rxw-63xm-9m5q",
  "modified": "2023-04-12T15:30:45Z",
  "published": "2023-04-04T15:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27762"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liong007/Wondershare/issues/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6V2W-2954-G9P8

Vulnerability from github – Published: 2022-05-17 02:27 – Updated: 2022-05-17 02:27
VLAI
Details

Untrusted search path vulnerability in Encrypted files in self-decryption format created by FileCapsule Deluxe Portable Ver.1.0.4.1 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-2266"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-17T13:18:00Z",
    "severity": "HIGH"
  },
  "details": "Untrusted search path vulnerability in Encrypted files in self-decryption format created by FileCapsule Deluxe Portable Ver.1.0.4.1 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
  "id": "GHSA-6v2w-2954-g9p8",
  "modified": "2022-05-17T02:27:20Z",
  "published": "2022-05-17T02:27:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2266"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN42031953/index.html"
    },
    {
      "type": "WEB",
      "url": "http://resumenext.blog.fc2.com/blog-entry-30.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6V9V-3F4C-CJGX

Vulnerability from github – Published: 2022-02-15 01:57 – Updated: 2023-01-24 03:30
VLAI
Summary
Untrusted Search Path in PostgreSQL
Details

It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-14350"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-08-24T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23.",
  "id": "GHSA-6v9v-3f4c-cjgx",
  "modified": "2023-01-24T03:30:18Z",
  "published": "2022-02-15T01:57:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14350"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1865746"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00028.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202008-13"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200918-0002"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4472-1"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Untrusted Search Path in PostgreSQL"
}

GHSA-6VG9-PG49-5FG4

Vulnerability from github – Published: 2025-04-08 18:34 – Updated: 2025-04-08 18:34
VLAI
Details

Untrusted search path in System Center allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27743"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-08T18:16:03Z",
    "severity": "HIGH"
  },
  "details": "Untrusted search path in System Center allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-6vg9-pg49-5fg4",
  "modified": "2025-04-08T18:34:55Z",
  "published": "2025-04-08T18:34:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27743"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-27743"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6VGR-GF7R-F3JC

Vulnerability from github – Published: 2026-04-16 00:54 – Updated: 2026-04-16 00:54
VLAI
Details

Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 have an unintended DLL search path.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-40947"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-16T00:16:29Z",
    "severity": "LOW"
  },
  "details": "Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 have an unintended DLL search path.",
  "id": "GHSA-6vgr-gf7r-f3jc",
  "modified": "2026-04-16T00:54:04Z",
  "published": "2026-04-16T00:54:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40947"
    },
    {
      "type": "WEB",
      "url": "https://www.yubico.com/support/security-advisories/ysa-2026-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6W5H-6RVC-HPRG

Vulnerability from github – Published: 2022-05-17 01:22 – Updated: 2022-05-17 01:22
VLAI
Details

Multiple untrusted search path vulnerabilities in installer in Synology Assistant before 6.1-15163 on Windows allows local attackers to execute arbitrary code and conduct DLL hijacking attack via a Trojan horse (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll or (4) dwmapi.dll file in the current working directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-11160"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-18T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple untrusted search path vulnerabilities in installer in Synology Assistant before 6.1-15163 on Windows allows local attackers to execute arbitrary code and conduct DLL hijacking attack via a Trojan horse (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll or (4) dwmapi.dll file in the current working directory.",
  "id": "GHSA-6w5h-6rvc-hprg",
  "modified": "2022-05-17T01:22:55Z",
  "published": "2022-05-17T01:22:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11160"
    },
    {
      "type": "WEB",
      "url": "https://www.synology.com/en-global/support/security/Synology_SA_17_44_Synology_Assistant"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6WMF-4RWP-J5X8

Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15
VLAI
Details

SupportAssist Client version 3.8 and 3.9 contains an Untrusted search path vulnerability that allows attackers to load an arbitrary .dll file via .dll planting/hijacking, only by a separate administrative action that is not a default part of the SOSInstallerTool.exe installation for executing arbitrary dll's,

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36297"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-28T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "SupportAssist Client version 3.8 and 3.9 contains an Untrusted search path vulnerability that allows attackers to load an arbitrary .dll file via .dll planting/hijacking, only by a separate administrative action that is not a default part of the SOSInstallerTool.exe installation for executing arbitrary dll\u0027s,",
  "id": "GHSA-6wmf-4rwp-j5x8",
  "modified": "2022-05-24T19:15:55Z",
  "published": "2022-05-24T19:15:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36297"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000191057/dsa-2021-163-dell-supportassist-client-consumer-security-update-for-two-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design Implementation

Strategy: Attack Surface Reduction

Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.

Mitigation
Implementation

When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Mitigation
Implementation

Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.

Mitigation
Implementation

Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.

Mitigation
Implementation

Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.

CAPEC-38: Leveraging/Manipulating Configuration File Search Paths

This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.