[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] curl: Windows OpenSSL engine code injection
From:       Jakub Wilk <jwilk () jwilk ! net>
Date:       2019-06-24 6:14:43
Message-ID: 20190624061443.kzsgc6rz7noznnnu () jwilk ! net
[Download RAW message or body]

* Daniel Stenberg <daniel@haxx.se>, 2019-06-24, 07:46:
>A non-privileged user or program can put code and a config file in a 
>known non-privileged path (under `C:/usr/local/`) that will make curl 
>automatically run the code (as an openssl "engine") on invocation. If 
>that curl is invoked by a privileged user it can do anything it wants.
[...]
>CWE-94: Code Injection

I think CWE-426 (Untrusted Search Path) would be more appropriate for 
this bug.

-- 
Jakub Wilk
[prev in list] [next in list] [prev in thread] [next in thread]