CVE-2021-42762

Опубликовано: 20 окт. 2021

Источник: nvd

CVSS3: 5.3

CVSS2: 4.6

EPSS Низкий

Описание

BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox, by abusing VFS syscalls that manipulate its filesystem namespace. The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox, and the sandboxed process remains otherwise confined. NOTE: this is similar to CVE-2021-41133.

Ссылки

http://www.openwall.com/lists/oss-security/2021/10/26/9
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/10/27/1
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/10/27/2
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/10/27/4
Mailing List
Third Party Advisory
https://bugs.webkit.org/show_bug.cgi?id=231479
Exploit
Issue Tracking
Vendor Advisory
https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H6MGXCX7P5AHWOQ6IRT477UKT7IS4DAD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5J2LZQTDX53DNSKSGU7TQYCO2HKSTY4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON5SDVVPVPCAGFPW2GHYATZVZYLPW2L4/
https://www.debian.org/security/2021/dsa-4995
Third Party Advisory
https://www.debian.org/security/2021/dsa-4996
Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/10/26/9
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/10/27/1
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/10/27/2
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/10/27/4
Mailing List
Third Party Advisory
https://bugs.webkit.org/show_bug.cgi?id=231479
Exploit
Issue Tracking
Vendor Advisory
https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H6MGXCX7P5AHWOQ6IRT477UKT7IS4DAD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5J2LZQTDX53DNSKSGU7TQYCO2HKSTY4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON5SDVVPVPCAGFPW2GHYATZVZYLPW2L4/

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:webkitgtk:webkitgtk:*:*:*:*:*:*:*:*

Версия до 2.34.1 (исключая)

cpe:2.3:a:wpewebkit:wpe_webkit:*:*:*:*:*:*:*:*

Версия до 2.34.1 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

EPSS

Процентиль: 1%

0.00008

Низкий

5.3 Medium

CVSS3

4.6 Medium

CVSS2

Дефекты

NVD-CWE-Other

Связанные уязвимости

CVE-2021-42762

CVSS3: 5.3

ubuntu

около 4 лет назад

CVE-2021-42762

CVSS3: 5.3

redhat

около 4 лет назад

CVE-2021-42762

CVSS3: 5.3

debian

около 4 лет назад

BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allow ...

openSUSE-SU-2021:3603-1

suse-cvrf

около 4 лет назад

Security update for webkit2gtk3

openSUSE-SU-2021:1454-1

suse-cvrf

около 4 лет назад

Security update for webkit2gtk3

EPSS

Процентиль: 1%

0.00008

Низкий

5.3 Medium

CVSS3

4.6 Medium

CVSS2

Дефекты

NVD-CWE-Other