CVE-2023-40590: Untrusted search path on Windows systems leading to arbitrary code execution

[igirardi]

This appeared in the CVE additional information here GHSA-wfm5-v35h-vwf4.

I found it reported already. I am reporting it here just in case.

[Byron]

Thanks. This advisory originated in this repository and is thus known: GHSA-wfm5-v35h-vwf4 .

However, it seems hard to communicate using an advisory, so we can keep this issue open to collect comments.

[stsewd]

BTW, there is another vulnerability that was reported, that is also pending a fix GHSA-cwvm-v4w8-q58c. Looks like a CVE wasn't requested for that one.

[Byron]

I thought for something less critical, it wouldn't be worth a whole CVE entry.
As collaborator (and author) of the GHSA, are you able to request a CVE? If so, please go ahead if you think there should be one. Otherwise I will do it as per your request. Thanks.

[stsewd]

@Byron only maintainers can request CVEs. If this was intentional, I don't mind having no CVE for that advisory 👍, I was suggesting it since it looks like people are more pending on CVEs than plain advisories (or that seems to me). We could also create a new issue linking to the advisory, so people are more aware of it.

[Byron]

I am happy to follow your advise and requested a CVE. It should increase visibility and with that, the chance for a fix.