admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-05-07 03:02:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add CVE-2021-32773 for GHSA-cgrw-p7p7-937c

Browse Source
This commit is contained in:
Shelby J. Cunningham 2021-07-19 19:51:16 -04:00
parent 121f67dc4a
commit 6b1dd6af96
No known key found for this signature in database
GPG Key ID: 0781D7D998EB82AA
1 changed files with 76 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
2021/32xxx/CVE-2021-32773.json
View File

@ -1,18 +1,88 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32773",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Confused deputy attack in sandbox module resolution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "racket",
"version": {
"version_data": [
{
"version_value": "< 8.2"
}
]
}
}
]
},
"vendor_name": "racket"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Racket is a general-purpose programming language and an ecosystem for language-oriented programming. In versions prior to 8.2, code evaluated using the Racket sandbox could cause system modules to incorrectly use attacker-created modules instead of their intended dependencies. This could allow system functions to be controlled by the attacker, giving access to facilities intended to be restricted. This problem is fixed in Racket version 8.2. A workaround is available, depending on system settings. For systems that provide arbitrary Racket evaluation, external sandboxing such as containers limit the impact of the problem. For multi-user evaluation systems, such as the `handin-server` system, it is not possible to work around this problem and upgrading is required."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/racket/racket/security/advisories/GHSA-cgrw-p7p7-937c",
"refsource": "CONFIRM",
"url": "https://github.com/racket/racket/security/advisories/GHSA-cgrw-p7p7-937c"
},
{
"name": "https://github.com/racket/racket/commit/6ca4ffeca1e5877d44f835760ad89f18488d97e1",
"refsource": "MISC",
"url": "https://github.com/racket/racket/commit/6ca4ffeca1e5877d44f835760ad89f18488d97e1"
}
]
},
"source": {
"advisory": "GHSA-cgrw-p7p7-937c",
"discovery": "UNKNOWN"
}
}