CVSS: 2.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-51745 – Wasmtime doesn't fully sandbox all the Windows device filenames
https://notcve.org/view.php?id=CVE-2024-51745
Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use superscript digits, such as "COM¹", "COM²", "LPTā°", "LPT¹", and so on. Untrusted Wasm programs that are given access to any filesystem directory could bypass the sandbox and access devices through those special device filenames with superscript digits, and through them gain access peripheral devices connected to the computer, or network resources mapped to those devices. This can include modems, printers, network printers, and any other device connected to a serial or parallel port, including emulated USB serial ports. Patch releases for Wasmtime have been issued as 24.0.2, 25.0.3, and 26.0.1. • https://en.wikipedia.org/wiki/ISO/IEC_8859-1 https://github.com/bytecodealliance/cap-std/pull/371 https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-c2f5-jxjv-2hh8 https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-file#naming-conventions • CWE-67: Improper Handling of Windows Device Names CWE-184: Incomplete List of Disallowed Inputs •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-30624 – Wasmtime has Undefined Behavior in Rust runtime functions
https://notcve.org/view.php?id=CVE-2023-30624
Wasmtime is a standalone runtime for WebAssembly. Prior to versions 6.0.2, 7.0.1, and 8.0.1, Wasmtime's implementation of managing per-instance state, such as tables and memories, contains LLVM-level undefined behavior. This undefined behavior was found to cause runtime-level issues when compiled with LLVM 16 which causes some writes, which are critical for correctness, to be optimized away. Vulnerable versions of Wasmtime compiled with Rust 1.70, which is currently in beta, or later are known to have incorrectly compiled functions. Versions of Wasmtime compiled with the current Rust stable release, 1.69, and prior are not known at this time to have any issues, but can theoretically exhibit potential issues. The underlying problem is that Wasmtime's runtime state for an instance involves a Rust-defined structure called `Instance` which has a trailing `VMContext` structure after it. • https://github.com/bytecodealliance/wasmtime/commit/0977952dcd9d482bff7c288868ccb52769b3a92e https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-ch89-5g45-qwc7 • CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior •