CVE-2023-5834: HashiCorp Vagrant Insecure Operation on Windows Junction / Mount Point vulnerability

October 28, 2023 (updated October 31, 2023)

HashiCorp Vagrant’s Windows installer targeted a custom location with a non-protected path that could be junctioned, introducing potential for unauthorized file system writes. Fixed in Vagrant 2.4.0.

References

discuss.hashicorp.com/t/hcsec-2023-31-vagrant-s-windows-installer-allowed-directory-junction-write/59568
github.com/advisories/GHSA-47xw-vw6m-w9fq
nvd.nist.gov/vuln/detail/CVE-2023-5834

Detect and mitigate CVE-2023-5834 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →