CVE-2024-27301

Name of the Vulnerable Software and Affected Versions Support App versions prior to 2.5.1 Rev 2

Description The issue is related to the postinstall installer script, which can be abused to execute arbitrary code as root due to the use of the shebang #!/bin/zsh. When the installer is executed, it loads the file $HOME/.zshenv, allowing an attacker to add malicious code and escalate privileges on the system.

Recommendations For versions prior to 2.5.1 Rev 2, upgrade to version 2.5.1 Rev 2 to address the issue. As a temporary workaround, consider restricting access to the $HOME/.zshenv file to minimize the risk of exploitation. Avoid using the postinstall installer script until the issue is resolved.