CVSS: 8.5EPSS: 0%CPEs: 4EXPL: 0CVE-2020-5291 – Privilege escalation in setuid mode via user namespaces in Bubblewrap
https://notcve.org/view.php?id=CVE-2020-5291
31 Mar 2020 — Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces. Known to be affected ... • https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240 • CWE-269: Improper Privilege Management CWE-648: Incorrect Use of Privileged APIs •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12439 – bubblewrap: temporary directory misuse as mount point
https://notcve.org/view.php?id=CVE-2019-12439
29 May 2019 — bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDG_RUNTIME_DIR), a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code. El archivo bubblewrap.c en Bubblewrap anterior de versión 0.3.3, utiliza de manera incorrecta directorios temporales en /tmp como un punto de montaje. En algunas configuraciones particulares (relacionadas con XDG_RUNTIME_DIR), un atacant... • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00028.html • CWE-20: Improper Input Validation CWE-377: Insecure Temporary File •
CVSS: 10.0EPSS: 7%CPEs: 1EXPL: 1CVE-2017-5226
https://notcve.org/view.php?id=CVE-2017-5226
29 Mar 2017 — When executing a program via the bubblewrap sandbox, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the sandbox. "Al ejecutar un programa a través del sandbox bubblewrap, la sesión nonpriv puede escapar a la sesión padre utilizando el ioctl de TIOCSTI para insertar caracteres en el búfer de entrada del terminal, permitiendo a un atacante escapar del sandbox. " • http://www.openwall.com/lists/oss-security/2020/07/10/1 • CWE-20: Improper Input Validation •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 0CVE-2016-8659
https://notcve.org/view.php?id=CVE-2016-8659
13 Feb 2017 — Bubblewrap before 0.1.3 sets the PR_SET_DUMPABLE flag, which might allow local users to gain privileges by attaching to the process, as demonstrated by sending commands to a PrivSep socket. Bubblewrap en versiones anteriores a 0.1.3 establece la bandera PR_SET_DUMPABLE, lo que podría permitir a usuarios locales obtener privilegios adjuntando al proceso, como se demuestra enviando comandos a un socket PrivSep. • http://www.openwall.com/lists/oss-security/2016/10/12/5 • CWE-264: Permissions, Privileges, and Access Controls •