setup.exe before 2.573.2.3 in Cygwin does not properly verify the authenticity of packages, which allows remote Cygwin mirror servers or man-in-the-middle attackers to execute arbitrary code via a package list containing the MD5 checksum of a Trojan horse package.
Get an AI-powered plain-language explanation of this vulnerability and remediation steps.
Login to generate AI explanation18 reference(s) from NVD