CVSS: 9.6EPSS: 0%CPEs: 3EXPL: 0CVE-2021-37981
https://notcve.org/view.php?id=CVE-2021-37981
Heap buffer overflow in Skia in Google Chrome prior to 95.0.4638.54 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. • https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_19.html https://crbug.com/1246631 https://www.debian.org/security/2022/dsa-5046 • CWE-787: Out-of-bounds Write •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 1CVE-2021-42762
https://notcve.org/view.php?id=CVE-2021-42762
BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox, by abusing VFS syscalls that manipulate its filesystem namespace. • http://www.openwall.com/lists/oss-security/2021/10/26/9 http://www.openwall.com/lists/oss-security/2021/10/27/1 http://www.openwall.com/lists/oss-security/2021/10/27/2 http://www.openwall.com/lists/oss-security/2021/10/27/4 https://bugs.webkit.org/show_bug.cgi?id=231479 https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H6MGXCX7P5AHWOQ6IRT477UKT7IS4DAD https:& •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-23449 – Sandbox Bypass
https://notcve.org/view.php?id=CVE-2021-23449
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine. Esto afecta al paquete vm2 antes de la versión 3.9.4 a través de un vector de ataque de Prototipo de Contaminación, que puede llevar a la ejecución de código arbitrario en la máquina anfitriona • https://github.com/patriksimek/vm2/commit/b4f6e2bd2c4a1ef52fc4483d8e35f28bc4481886 https://github.com/patriksimek/vm2/issues/363 https://github.com/patriksimek/vm2/releases/tag/3.9.4 https://security.netapp.com/advisory/ntap-20211029-0010 https://snyk.io/vuln/SNYK-JS-VM2-1585918 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 7.8EPSS: 0%CPEs: 18EXPL: 0CVE-2021-40476 – Windows AppContainer Elevation Of Privilege Vulnerability
https://notcve.org/view.php?id=CVE-2021-40476
Windows AppContainer Elevation Of Privilege Vulnerability Una vulnerabilidad de Elevación de Privilegios en Windows AppContainer The WSAQuerySocketSecurity API returns full anonymous impersonation tokens for connected peers in an AppContainer leading to a sandbox escape. • http://packetstormsecurity.com/files/164942/Microsoft-Windows-WSAQuerySocketSecurity-AppContainer-Privilege-Escalation.html https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40476 • CWE-522: Insufficiently Protected Credentials •
CVSS: 9.6EPSS: 1%CPEs: 5EXPL: 0CVE-2021-37973 – Google Chromium Portals Use-After-Free Vulnerability
https://notcve.org/view.php?id=CVE-2021-37973
Use after free in Portals in Google Chrome prior to 94.0.4606.61 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. Un uso de memoria previamente liberada en Portals en Google Chrome versiones anteriores a 94.0.4606.61, permitía que un atacante remoto que hubiera comprometido el proceso de renderización pudiera llevar a cabo un escape del sandbox por medio de una página HTML diseñada Google Chromium Portals contains a use-after-free vulnerability that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a crafted HTML page. • https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.html https://crbug.com/1251727 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2 https://www.debian.org/security/2022/dsa-5046 • CWE-416: Use After Free •