CVE-2022-46330: Uncontrolled Search Path Element

December 21, 2022 (updated January 4, 2023)

Squirrel.Windows is both a toolset and a library that provides installation and update functionality for Windows desktop applications. Installers generated by Squirrel.Windows 2.0.1 and earlier contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with the privilege of the user invoking the installer.

References

github.com/Squirrel/Squirrel.Windows
github.com/Squirrel/Squirrel.Windows/pull/1807
jvn.jp/en/jp/JVN29902403/index.html
nvd.nist.gov/vuln/detail/CVE-2022-46330

Detect and mitigate CVE-2022-46330 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →