CVE-2020-5291
Vulnerability from cvelistv5
Published
2020-03-31 18:00
Modified
2024-08-04 08:22
Severity ?
7.2 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Summary
Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces. Known to be affected are: * Debian testing/unstable, if unprivileged user namespaces enabled (not default) * Debian buster-backports, if unprivileged user namespaces enabled (not default) * Arch if using `linux-hardened`, if unprivileged user namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged user namespaces enabled (not default) This has been fixed in the 0.4.1 release, and all affected users should update.
References
security-advisories@github.comhttps://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240Patch, Third Party Advisory
security-advisories@github.comhttps://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vjMitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vjMitigation, Third Party Advisory
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T08:22:09.099Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "bubblewrap",
          "vendor": "containers",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.4.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces. Known to be affected are: * Debian testing/unstable, if unprivileged user namespaces enabled (not default) * Debian buster-backports, if unprivileged user namespaces enabled (not default) * Arch if using `linux-hardened`, if unprivileged user namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged user namespaces enabled (not default) This has been fixed in the 0.4.1 release, and all affected users should update."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-648",
              "description": "CWE-648: Incorrect Use of Privileged APIs",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-03-31T18:00:18",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240"
        }
      ],
      "source": {
        "advisory": "GHSA-j2qp-rvxj-43vj",
        "discovery": "UNKNOWN"
      },
      "title": "Privilege escalation in setuid mode via user namespaces in Bubblewrap",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-5291",
          "STATE": "PUBLIC",
          "TITLE": "Privilege escalation in setuid mode via user namespaces in Bubblewrap"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "bubblewrap",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 0.4.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "containers"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces. Known to be affected are: * Debian testing/unstable, if unprivileged user namespaces enabled (not default) * Debian buster-backports, if unprivileged user namespaces enabled (not default) * Arch if using `linux-hardened`, if unprivileged user namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged user namespaces enabled (not default) This has been fixed in the 0.4.1 release, and all affected users should update."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-648: Incorrect Use of Privileged APIs"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj",
              "refsource": "CONFIRM",
              "url": "https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj"
            },
            {
              "name": "https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240",
              "refsource": "MISC",
              "url": "https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-j2qp-rvxj-43vj",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-5291",
    "datePublished": "2020-03-31T18:00:18",
    "dateReserved": "2020-01-02T00:00:00",
    "dateUpdated": "2024-08-04T08:22:09.099Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-5291\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-03-31T18:15:26.963\",\"lastModified\":\"2024-11-21T05:33:50.790\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces. Known to be affected are: * Debian testing/unstable, if unprivileged user namespaces enabled (not default) * Debian buster-backports, if unprivileged user namespaces enabled (not default) * Arch if using `linux-hardened`, if unprivileged user namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged user namespaces enabled (not default) This has been fixed in the 0.4.1 release, and all affected users should update.\"},{\"lang\":\"es\",\"value\":\"Bubblewrap (bwrap) versiones anteriores a 0.4.1, si se instal\u00f3 en modo setuid y el kernel admite espacios de nombres (namespaces) de usuario no privilegiados, entonces la opci\u00f3n \\\"bwrap --userns2\\\" puede ser usada para hacer que el proceso setuid contin\u00fae ejecut\u00e1ndose como root mientras es rastreable. Esto a su vez puede ser usado para conseguir permisos root. Tome en cuenta que esto solo afecta a la combinaci\u00f3n de bubblewrap en modo setuid (que t\u00edpicamente es usado cuando no se admiten espacios de nombres de usuario sin privilegios) y la compatibilidad de los espacios de nombres (namespaces) de un usuario no privilegiado. Se conoce que los que est\u00e1n afectados son: * Debian testing/unstable, si los espacios de nombres de un usuario no privilegiado est\u00e1n habilitados (no predeterminados) * Debian buster-backports, si los espacios de nombres de un usuario no privilegiado est\u00e1n habilitados (no predeterminados) * Arch si se usa \\\"linux-hardened\\\", si los espacios de nombres de un usuario no privilegiado est\u00e1n habilitados (no predeterminado) * Centos 7 flatpak COPR, si los espacios de nombres de un usuario no privilegiado est\u00e1n habilitados (no predeterminado) Esto ha sido corregido en la versi\u00f3n 0.4.1, y todos los usuarios afectados deben actualizar.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.8,\"impactScore\":5.8},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:C/I:C/A:C\",\"baseScore\":8.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":6.8,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-648\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:projectatomic:bubblewrap:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.4.1\",\"matchCriteriaId\":\"2D233A96-9C6A-4463-BCF3-2ADB5566FD55\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:archlinux:arch_linux:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4824AE2D-462B-477D-9206-3E2090A32146\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:centos:centos:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5FE22A5C-1B9B-4CEB-B0E3-23B628CBBF58\"}]}]}],\"references\":[{\"url\":\"https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.