CVSS: 8.5EPSS: 0%CPEs: 4EXPL: 0CVE-2020-5291 – Privilege escalation in setuid mode via user namespaces in Bubblewrap
https://notcve.org/view.php?id=CVE-2020-5291
Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces. Known to be affected are: * Debian testing/unstable, if unprivileged user namespaces enabled (not default) * Debian buster-backports, if unprivileged user namespaces enabled (not default) * Arch if using `linux-hardened`, if unprivileged user namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged user namespaces enabled (not default) This has been fixed in the 0.4.1 release, and all affected users should update. Bubblewrap (bwrap) versiones anteriores a 0.4.1, si se instaló en modo setuid y el kernel admite espacios de nombres (namespaces) de usuario no privilegiados, entonces la opción "bwrap --userns2" puede ser usada para hacer que el proceso setuid continúe ejecutándose como root mientras es rastreable. • https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240 https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj • CWE-269: Improper Privilege Management CWE-648: Incorrect Use of Privileged APIs •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12439 – bubblewrap: temporary directory misuse as mount point
https://notcve.org/view.php?id=CVE-2019-12439
bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDG_RUNTIME_DIR), a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code. El archivo bubblewrap.c en Bubblewrap anterior de versión 0.3.3, utiliza de manera incorrecta directorios temporales en /tmp como un punto de montaje. En algunas configuraciones particulares (relacionadas con XDG_RUNTIME_DIR), un atacante local puede abusar de este defecto para prevenir que otros usuarios ejecuten bubblewrap o potencialmente ejecute código. • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00028.html http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00015.html https://access.redhat.com/errata/RHSA-2019:1833 https://bugzilla.redhat.com/show_bug.cgi?id=1695963 https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e https://github.com/projectatomic/bubblewrap/issues/304 https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.3 https://security.gentoo.org/glsa/202006-18 https:&# • CWE-20: Improper Input Validation CWE-377: Insecure Temporary File •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2017-5226
https://notcve.org/view.php?id=CVE-2017-5226
When executing a program via the bubblewrap sandbox, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the sandbox. "Al ejecutar un programa a través del sandbox bubblewrap, la sesión nonpriv puede escapar a la sesión padre utilizando el ioctl de TIOCSTI para insertar caracteres en el búfer de entrada del terminal, permitiendo a un atacante escapar del sandbox. " • http://www.openwall.com/lists/oss-security/2020/07/10/1 http://www.openwall.com/lists/oss-security/2023/03/17/1 http://www.securityfocus.com/bid/97260 https://bugzilla.redhat.com/show_bug.cgi?id=1411811 https://github.com/projectatomic/bubblewrap/commit/d7fc532c42f0e9bf427923bab85433282b3e5117 https://github.com/projectatomic/bubblewrap/issues/142 https://www.openwall.com/lists/oss-security/2023/03/14/2 • CWE-20: Improper Input Validation •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 0CVE-2016-8659
https://notcve.org/view.php?id=CVE-2016-8659
Bubblewrap before 0.1.3 sets the PR_SET_DUMPABLE flag, which might allow local users to gain privileges by attaching to the process, as demonstrated by sending commands to a PrivSep socket. Bubblewrap en versiones anteriores a 0.1.3 establece la bandera PR_SET_DUMPABLE, lo que podría permitir a usuarios locales obtener privilegios adjuntando al proceso, como se demuestra enviando comandos a un socket PrivSep. • http://www.openwall.com/lists/oss-security/2016/10/12/5 http://www.openwall.com/lists/oss-security/2016/10/13/4 http://www.securityfocus.com/bid/93542 https://github.com/projectatomic/bubblewrap/issues/107 • CWE-264: Permissions, Privileges, and Access Controls •