Re: curl: Windows OpenSSL engine code injection

[Jakub Wilk <jwilk () jwilk net>]

* Daniel Stenberg <daniel () haxx se>, 2019-06-24, 07:46:
> A non-privileged user or program can put code and a config file in a 
> known non-privileged path (under `C:/usr/local/`) that will make curl 
> automatically run the code (as an openssl "engine") on invocation. If 
> that curl is invoked by a privileged user it can do anything it wants.
[...]
> CWE-94: Code Injection

I think CWE-426 (Untrusted Search Path) would be more appropriate for 
this bug.

--
Jakub Wilk