← Back

Chocolatey

chocolatey

6 CVEs • 6 products

Products (6)

Click to collapse
Toggle
Boxstarter
boxstarter
1 CVE
Chocolatey Ruby
chocolatey_ruby
1 CVE
Chocolatey Cmder
chocolatey_cmder
1 CVE
Chocolatey Python3
chocolatey_python3
1 CVE
Chocolatey Azure Pipelines Agent
chocolatey_azure-pipelines-agent
1 CVE
Chocolatey Php
chocolatey_php
1 CVE

CVEs (6)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2022-45307
1Chocolatey
1Chocolatey Php
Apr 25, 2025
Nov 29, 2022
N/A· v4
4.3 MEDIUM· v3
N/A· v2
Insecure permissions in Chocolatey PHP package v8.1.12 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\tools\php81 and all files located in that folder.
CVE-2022-45306
1Chocolatey
1Chocolatey Azure Pipelines Agent
Apr 25, 2025
Nov 29, 2022
N/A· v4
4.3 MEDIUM· v3
N/A· v2
Insecure permissions in Chocolatey Azure-Pipelines-Agent package v2.211.1 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\agent and all files located in that folder.
CVE-2022-45305
1Chocolatey
1Chocolatey Python3
Apr 25, 2025
Nov 29, 2022
N/A· v4
4.3 MEDIUM· v3
N/A· v2
Insecure permissions in Chocolatey Python3 package v3.11.0 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\Python311 and all files located in that folder.
CVE-2022-45304
1Chocolatey
1Chocolatey Cmder
Apr 25, 2025
Nov 29, 2022
N/A· v4
4.3 MEDIUM· v3
N/A· v2
Insecure permissions in Chocolatey Cmder package v1.3.20 and below grants all users in the Authenticated Users group write privileges for the path C:\tools\Cmder and all files located in that folder.
CVE-2022-45301
1Chocolatey
1Chocolatey Ruby
Apr 25, 2025
Nov 29, 2022
N/A· v4
4.3 MEDIUM· v3
N/A· v2
Insecure permissions in Chocolatey Ruby package v3.1.2.1 and below grants all users in the Authenticated Users group write privileges for the path C:\tools\ruby31 and all files located in that folder.
CVE-2020-15264
1Chocolatey
1Boxstarter
Nov 21, 2024
Oct 20, 2020
N/A· v4
7.8 HIGH· v3
7.2 HIGH· v2
The Boxstarter installer before version 2.13.0 configures C:\ProgramData\Boxstarter to be in the system-wide PATH environment variable. However, this directory is writable by normal, unprivileged users. To exploit the vu...Show more
The Boxstarter installer before version 2.13.0 configures C:\ProgramData\Boxstarter to be in the system-wide PATH environment variable. However, this directory is writable by normal, unprivileged users. To exploit the vulnerability, place a DLL in this directory that a privileged service is looking for. For example, WptsExtensions.dll When Windows starts, it'll execute the code in DllMain() with SYSTEM privileges. Any unprivileged user can execute code with SYSTEM privileges. The issue is fixed in version 3.13.0Show less