CVE-2024-29188

Name of the Vulnerable Software and Affected Versions WiX Toolset versions prior to 3.14.1 WiX Toolset versions prior to 4.0.5

Description The custom action behind WiX's RemoveFolderEx functionality could allow a standard user to delete protected directories. RemoveFolderEx deletes an entire directory tree during installation or uninstallation by recursing every subdirectory starting at a specified directory and adding each subdirectory to the list of directories Windows Installer should delete. If the setup author instructed RemoveFolderEx to delete a per-user folder from a per-machine installer, an attacker could create a directory junction in that per-user folder pointing to a per-machine, protected directory. Windows Installer, when executing the per-machine installer after approval by an administrator, would delete the target of the directory junction.

Recommendations For WiX Toolset versions prior to 3.14.1, update to version 3.14.1 or later to resolve the issue. For WiX Toolset versions prior to 4.0.5, update to version 4.0.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of the RemoveFolderEx functionality until a patch is available. Avoid using RemoveFolderEx to delete per-user folders from per-machine installers to minimize the risk of exploitation.