Vulnerabilites related to projectatomic - bubblewrap
Vulnerability from fkie_nvd
Published
2019-05-29 15:29
Modified
2024-11-21 04:22
Severity ?
7.4 (High) - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDG_RUNTIME_DIR), a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| projectatomic | bubblewrap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:projectatomic:bubblewrap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D39BE3CC-42B1-4008-A900-798FA1445831",
"versionEndExcluding": "0.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDG_RUNTIME_DIR), a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code."
},
{
"lang": "es",
"value": "El archivo bubblewrap.c en Bubblewrap anterior de versi\u00f3n 0.3.3, utiliza de manera incorrecta directorios temporales en /tmp como un punto de montaje. En algunas configuraciones particulares (relacionadas con XDG_RUNTIME_DIR), un atacante local puede abusar de este defecto para prevenir que otros usuarios ejecuten bubblewrap o potencialmente ejecute c\u00f3digo."
}
],
"id": "CVE-2019-12439",
"lastModified": "2024-11-21T04:22:50.870",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.4,
"impactScore": 5.9,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-29T15:29:00.377",
"references": [
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00028.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00015.html"
},
{
"source": "cve@mitre.org",
"url": "https://access.redhat.com/errata/RHSA-2019:1833"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1695963"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/projectatomic/bubblewrap/issues/304"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.3"
},
{
"source": "cve@mitre.org",
"url": "https://security.gentoo.org/glsa/202006-18"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00028.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00015.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2019:1833"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1695963"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/projectatomic/bubblewrap/issues/304"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/202006-18"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-31 18:15
Modified
2024-11-21 05:33
Severity ?
7.2 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces. Known to be affected are: * Debian testing/unstable, if unprivileged user namespaces enabled (not default) * Debian buster-backports, if unprivileged user namespaces enabled (not default) * Arch if using `linux-hardened`, if unprivileged user namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged user namespaces enabled (not default) This has been fixed in the 0.4.1 release, and all affected users should update.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj | Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj | Mitigation, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| projectatomic | bubblewrap | * | |
| debian | debian_linux | 10.0 | |
| archlinux | arch_linux | - | |
| centos | centos | 7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:projectatomic:bubblewrap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2D233A96-9C6A-4463-BCF3-2ADB5566FD55",
"versionEndExcluding": "0.4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:archlinux:arch_linux:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4824AE2D-462B-477D-9206-3E2090A32146",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:centos:centos:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5FE22A5C-1B9B-4CEB-B0E3-23B628CBBF58",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces. Known to be affected are: * Debian testing/unstable, if unprivileged user namespaces enabled (not default) * Debian buster-backports, if unprivileged user namespaces enabled (not default) * Arch if using `linux-hardened`, if unprivileged user namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged user namespaces enabled (not default) This has been fixed in the 0.4.1 release, and all affected users should update."
},
{
"lang": "es",
"value": "Bubblewrap (bwrap) versiones anteriores a 0.4.1, si se instal\u00f3 en modo setuid y el kernel admite espacios de nombres (namespaces) de usuario no privilegiados, entonces la opci\u00f3n \"bwrap --userns2\" puede ser usada para hacer que el proceso setuid contin\u00fae ejecut\u00e1ndose como root mientras es rastreable. Esto a su vez puede ser usado para conseguir permisos root. Tome en cuenta que esto solo afecta a la combinaci\u00f3n de bubblewrap en modo setuid (que t\u00edpicamente es usado cuando no se admiten espacios de nombres de usuario sin privilegios) y la compatibilidad de los espacios de nombres (namespaces) de un usuario no privilegiado. Se conoce que los que est\u00e1n afectados son: * Debian testing/unstable, si los espacios de nombres de un usuario no privilegiado est\u00e1n habilitados (no predeterminados) * Debian buster-backports, si los espacios de nombres de un usuario no privilegiado est\u00e1n habilitados (no predeterminados) * Arch si se usa \"linux-hardened\", si los espacios de nombres de un usuario no privilegiado est\u00e1n habilitados (no predeterminado) * Centos 7 flatpak COPR, si los espacios de nombres de un usuario no privilegiado est\u00e1n habilitados (no predeterminado) Esto ha sido corregido en la versi\u00f3n 0.4.1, y todos los usuarios afectados deben actualizar."
}
],
"id": "CVE-2020-5291",
"lastModified": "2024-11-21T05:33:50.790",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 8.5,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 5.8,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-31T18:15:26.963",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-648"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-03-29 20:59
Modified
2025-04-20 01:37
Severity ?
Summary
When executing a program via the bubblewrap sandbox, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the sandbox.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| projectatomic | bubblewrap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:projectatomic:bubblewrap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5521CECD-1BBD-4158-B5D7-3B79004D8E64",
"versionEndIncluding": "0.1.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "When executing a program via the bubblewrap sandbox, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal\u0027s input buffer, allowing an attacker to escape the sandbox."
},
{
"lang": "es",
"value": "\"Al ejecutar un programa a trav\u00e9s del sandbox bubblewrap, la sesi\u00f3n nonpriv puede escapar a la sesi\u00f3n padre utilizando el ioctl de TIOCSTI para insertar caracteres en el b\u00fafer de entrada del terminal, permitiendo a un atacante escapar del sandbox. \""
}
],
"id": "CVE-2017-5226",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-03-29T20:59:00.310",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2020/07/10/1"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2023/03/17/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97260"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1411811"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/projectatomic/bubblewrap/commit/d7fc532c42f0e9bf427923bab85433282b3e5117"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/projectatomic/bubblewrap/issues/142"
},
{
"source": "cve@mitre.org",
"url": "https://www.openwall.com/lists/oss-security/2023/03/14/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2020/07/10/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2023/03/17/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97260"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1411811"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/projectatomic/bubblewrap/commit/d7fc532c42f0e9bf427923bab85433282b3e5117"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/projectatomic/bubblewrap/issues/142"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.openwall.com/lists/oss-security/2023/03/14/2"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2020-5291 (GCVE-0-2020-5291)
Vulnerability from cvelistv5
Published
2020-03-31 18:00
Modified
2024-08-04 08:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-648 - Incorrect Use of Privileged APIs
Summary
Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces. Known to be affected are: * Debian testing/unstable, if unprivileged user namespaces enabled (not default) * Debian buster-backports, if unprivileged user namespaces enabled (not default) * Arch if using `linux-hardened`, if unprivileged user namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged user namespaces enabled (not default) This has been fixed in the 0.4.1 release, and all affected users should update.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj | x_refsource_CONFIRM | |
| https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| containers | bubblewrap |
Version: < 0.4.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.099Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "bubblewrap",
"vendor": "containers",
"versions": [
{
"status": "affected",
"version": "\u003c 0.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces. Known to be affected are: * Debian testing/unstable, if unprivileged user namespaces enabled (not default) * Debian buster-backports, if unprivileged user namespaces enabled (not default) * Arch if using `linux-hardened`, if unprivileged user namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged user namespaces enabled (not default) This has been fixed in the 0.4.1 release, and all affected users should update."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-648",
"description": "CWE-648: Incorrect Use of Privileged APIs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-31T18:00:18",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240"
}
],
"source": {
"advisory": "GHSA-j2qp-rvxj-43vj",
"discovery": "UNKNOWN"
},
"title": "Privilege escalation in setuid mode via user namespaces in Bubblewrap",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5291",
"STATE": "PUBLIC",
"TITLE": "Privilege escalation in setuid mode via user namespaces in Bubblewrap"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "bubblewrap",
"version": {
"version_data": [
{
"version_value": "\u003c 0.4.1"
}
]
}
}
]
},
"vendor_name": "containers"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces. Known to be affected are: * Debian testing/unstable, if unprivileged user namespaces enabled (not default) * Debian buster-backports, if unprivileged user namespaces enabled (not default) * Arch if using `linux-hardened`, if unprivileged user namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged user namespaces enabled (not default) This has been fixed in the 0.4.1 release, and all affected users should update."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-648: Incorrect Use of Privileged APIs"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj",
"refsource": "CONFIRM",
"url": "https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj"
},
{
"name": "https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240",
"refsource": "MISC",
"url": "https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240"
}
]
},
"source": {
"advisory": "GHSA-j2qp-rvxj-43vj",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5291",
"datePublished": "2020-03-31T18:00:18",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:09.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-5226 (GCVE-0-2017-5226)
Vulnerability from cvelistv5
Published
2017-03-29 00:00
Modified
2024-08-05 14:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
When executing a program via the bubblewrap sandbox, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the sandbox.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:55:35.806Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/projectatomic/bubblewrap/issues/142"
},
{
"name": "97260",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97260"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1411811"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/projectatomic/bubblewrap/commit/d7fc532c42f0e9bf427923bab85433282b3e5117"
},
{
"name": "[oss-security] 20200710 WebKitGTK and WPE WebKit Security Advisory WSA-2020-0006",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2020/07/10/1"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2023/03/14/2"
},
{
"name": "[oss-security] 20230317 flatpak: CVE-2023-28100: TIOCLINUX can send commands outside sandbox if running on a virtual console",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/03/17/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-01-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "When executing a program via the bubblewrap sandbox, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal\u0027s input buffer, allowing an attacker to escape the sandbox."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-17T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/projectatomic/bubblewrap/issues/142"
},
{
"name": "97260",
"tags": [
"vdb-entry"
],
"url": "http://www.securityfocus.com/bid/97260"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1411811"
},
{
"url": "https://github.com/projectatomic/bubblewrap/commit/d7fc532c42f0e9bf427923bab85433282b3e5117"
},
{
"name": "[oss-security] 20200710 WebKitGTK and WPE WebKit Security Advisory WSA-2020-0006",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2020/07/10/1"
},
{
"url": "https://www.openwall.com/lists/oss-security/2023/03/14/2"
},
{
"name": "[oss-security] 20230317 flatpak: CVE-2023-28100: TIOCLINUX can send commands outside sandbox if running on a virtual console",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2023/03/17/1"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-5226",
"datePublished": "2017-03-29T00:00:00",
"dateReserved": "2017-01-09T00:00:00",
"dateUpdated": "2024-08-05T14:55:35.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12439 (GCVE-0-2019-12439)
Vulnerability from cvelistv5
Published
2019-05-29 14:42
Modified
2024-08-04 23:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDG_RUNTIME_DIR), a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/projectatomic/bubblewrap/issues/304 | x_refsource_MISC | |
| https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e | x_refsource_MISC | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1695963 | x_refsource_MISC | |
| https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.3 | x_refsource_MISC | |
| http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00028.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00015.html | vendor-advisory, x_refsource_SUSE | |
| https://access.redhat.com/errata/RHSA-2019:1833 | vendor-advisory, x_refsource_REDHAT | |
| https://security.gentoo.org/glsa/202006-18 | vendor-advisory, x_refsource_GENTOO |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:17:40.131Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/projectatomic/bubblewrap/issues/304"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1695963"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.3"
},
{
"name": "openSUSE-SU-2019:1535",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00028.html"
},
{
"name": "openSUSE-SU-2019:1721",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00015.html"
},
{
"name": "RHSA-2019:1833",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1833"
},
{
"name": "GLSA-202006-18",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202006-18"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDG_RUNTIME_DIR), a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:H/AV:L/A:H/C:H/I:H/PR:N/S:U/UI:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-15T17:06:50",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/projectatomic/bubblewrap/issues/304"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1695963"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.3"
},
{
"name": "openSUSE-SU-2019:1535",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00028.html"
},
{
"name": "openSUSE-SU-2019:1721",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00015.html"
},
{
"name": "RHSA-2019:1833",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1833"
},
{
"name": "GLSA-202006-18",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202006-18"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12439",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDG_RUNTIME_DIR), a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:H/AV:L/A:H/C:H/I:H/PR:N/S:U/UI:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/projectatomic/bubblewrap/issues/304",
"refsource": "MISC",
"url": "https://github.com/projectatomic/bubblewrap/issues/304"
},
{
"name": "https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e",
"refsource": "MISC",
"url": "https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1695963",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1695963"
},
{
"name": "https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.3",
"refsource": "MISC",
"url": "https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.3"
},
{
"name": "openSUSE-SU-2019:1535",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00028.html"
},
{
"name": "openSUSE-SU-2019:1721",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00015.html"
},
{
"name": "RHSA-2019:1833",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1833"
},
{
"name": "GLSA-202006-18",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-18"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12439",
"datePublished": "2019-05-29T14:42:08",
"dateReserved": "2019-05-29T00:00:00",
"dateUpdated": "2024-08-04T23:17:40.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}