[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] curl: Windows OpenSSL engine code injection
From: Jakub Wilk <jwilk () jwilk ! net>
Date: 2019-06-24 6:14:43
Message-ID: 20190624061443.kzsgc6rz7noznnnu () jwilk ! net
[Download RAW message or body]
* Daniel Stenberg <daniel@haxx.se>, 2019-06-24, 07:46:
>A non-privileged user or program can put code and a config file in a
>known non-privileged path (under `C:/usr/local/`) that will make curl
>automatically run the code (as an openssl "engine") on invocation. If
>that curl is invoked by a privileged user it can do anything it wants.
[...]
>CWE-94: Code Injection
I think CWE-426 (Untrusted Search Path) would be more appropriate for
this bug.
--
Jakub Wilk
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic