Vulnerability CVE-2022-36564 #126
-
|
Hi, Is the vulnerability report below relevant to this distribution please, i.e. is this the right discussion thread to enquire about it? https://nvd.nist.gov/vuln/detail/CVE-2022-36564 Thanks, |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
Save the click: |
Beta Was this translation helpful? Give feedback.
-
|
Site links to a no-longer-existing page on a random person's GitHub account. They updated the link to here: https://github.com/ycdxsb/Vuln/blob/main/CVE-2022-36564/CVE-2022-36564.md which provides zero information other than |
Beta Was this translation helpful? Give feedback.
-
|
Thanks, I did wonder about the quality of the report, especially because there are some almost identically worded ones "Incorrect access control in the install directory..." for other products. CVE-2022-36562 Rubyinstaller2 v3.1.2 Unfortunately a customer is using what they desribe as an "App Locker" that is now blocking perl, perhaps on an blunt "CVE X applies to product Y version Z" basis. I will go back to the customer and suggest that their "App Locker" has no reason to block perl, given the quality of the report. Regards, |
Beta Was this translation helpful? Give feedback.
-
|
To clarify, I received more info back then. The issue is installing to C:\Strawberry makes it inherit permissions to be writable by all users on the system. So another user can replace an .exe with something malicious, and then you execute it thinking you are running perl etc. |
Beta Was this translation helpful? Give feedback.
Site links to a no-longer-existing page on a random person's GitHub account. They updated the link to here: https://github.com/ycdxsb/Vuln/blob/main/CVE-2022-36564/CVE-2022-36564.md which provides zero information other than
Incorrect access control in the install directory (C:\Strawberry) of StrawberryPerl v5.32.1.1 and below allows authenticated attackers to execute arbitrary code via overwriting binaries located in the directory.