CVE-2021-3747 – MacOS version of Multipass incorrect owner for application directory
https://notcve.org/view.php?id=CVE-2021-3747
The MacOS version of Multipass, version 1.7.0, fixed in 1.7.2, accidentally installed the application directory with incorrect owner. La versión para MacOS de Multipass, versión 1.7.0, corregida en 1.7.2, instalaba accidentalmente el directorio de la aplicación con un propietario incorrecto • https://github.com/canonical/multipass/issues/2261 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2021-3626 – Windows version of Multipass unauthenticated localhost tcp control socket can perform mounts
https://notcve.org/view.php?id=CVE-2021-3626
The Windows version of Multipass before 1.7.0 allowed any local process to connect to the localhost TCP control socket to perform mounts from the operating system to a guest, allowing for privilege escalation. La versión para Windows de Multipass anteriores a 1.7.0, permitía a cualquier proceso local conectarse al socket de control TCP de localhost para llevar a cabo montajes del sistema operativo a un invitado, permitiendo una escalada de privilegios • https://github.com/canonical/multipass/pull/2150 • CWE-73: External Control of File Name or Path CWE-284: Improper Access Control •