Does CVE-2017-20051 matters ?

139 views
Skip to first unread message

Yo

unread,
Oct 28, 2022, 6:13:31 AM10/28/22
to innosetup
Hi,
I'm planning to use InnoSetup for my installers. I've found an entry (https://nvd.nist.gov/vuln/detail/CVE-2017-20051) which seems to be a PE header format problem more than a "vulnerability". 
What's is the truth ?

Also, I'm looking for a method to retrieve in a script the path for the user's profile (i.e. %USERPROFILE%). It seems there's no script constant for this....

Thank you!


 

  

T Zirn

unread,
Nov 7, 2025, 3:52:44 PM11/7/25
to innosetup
And I'm also wondering which versions this CVE is an issue in? CVEDetails website lists it without any versions which then doesnt show up in the tools made to search these databases. But also insinuates it's all versions forever. I see no mention of it specifically in the release notes. However, there is this reference in the release notes for 6.5.0 "  (This change adds defense-in-depth; it does not address a known vulnerability.)" 

Johannes Schindelin

unread,
Nov 10, 2025, 6:29:51 AM11/10/25
to innosetup
That is a CVE from 2017... and yes, it has been immediately contested whether this double PE entry constitutes a vulnerability: https://seclists.org/fulldisclosure/2017/Mar/16

T Zirn

unread,
Nov 10, 2025, 10:02:41 AM11/10/25
to innosetup
Yes I know it came from 2017 however as I mentioned there is a reference to a "vulnerability" in the InnoSetup 6.5.0 release notes that states  "(This change adds defense-in-depth; it does not address a known vulnerability.)" https://jrsoftware.org/files/is6-whatsnew.htm So if that vulnerability mentioned in the Release Notes does not refer to this one then which one does it refer to? Since it just mentioned "a known vulnerability" but not the specific name we are left to try to figure out which one to list in our Vulnerability Reports and have no way to know when it was fixed, if at all since the only CVE we can find under InnoSetup is notated in such a way that it appears for all versions.
Because this one is listed in the NVD and CVEDetails databases as a vulnerability and the author of InnoSetup mentions a "known vulnerability" in the release notes every user that needs to create vulnerability reports must address this and therefore we need to know if there is another vulnerability that is discussed somewhere else or is this reference by the author in reference to the one in the NVD and CVEDetails databases that is asked about here?

Martijn Laan

unread,
Nov 10, 2025, 10:08:49 AM11/10/25
to innosetup
Hi,

Op 10-11-2025 om 15:19 schreef T Zirn:
Yes I know it came from 2017 however as I mentioned there is a reference to a "vulnerability" in the InnoSetup 6.5.0 release notes that states  "(This change adds defense-in-depth; it does not address a known vulnerability.)" https://jrsoftware.org/files/is6-whatsnew.htm So if that vulnerability mentioned in the Release Notes does not refer to this one then which one does it refer to?

It says "it does not address a known vulnerability." So, it doesn’t refer to a vulnerability.

Greetings,
Martijn

Reply all
Reply to author
Forward
0 new messages