CVE-2023-24904: 
vulnerability analysis and mitigation

CVE-2023-24904 is a Windows Installer Elevation of Privilege Vulnerability that was disclosed on May 9, 2023. The vulnerability affects multiple Windows operating systems, including Windows Server 2008 and 2008 R2 (NVD).

The vulnerability exists in the Microsoft Windows Installer service, which is an installation and configuration service provided with Windows. It has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H (NVD). The vulnerability is tracked under CWE-59: Improper Link Resolution Before File Access ('Link Following') (NVD).

This vulnerability would enable an attacker to delete specific files on a targeted system but not view or modify their contents. While there is no risk to the confidentiality of the data, the vulnerability poses a significant threat to the integrity and availability of the affected system (Qualys).

Microsoft has released security updates to address this vulnerability. The patches are available through KB5026408, KB5026413, KB5026426, and KB5026427. The patched versions include msi.dll version 5.0.7601.26514 for KB5026426 and KB5026413, and version 4.5.6003.22065 for KB5026408 and KB5026427 (Qualys).