ArchLinuxASA-202107-39[ASA-202107-39] racket: sandbox escape
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
32.5%
Arch Linux Security Advisory ASA-202107-39
Severity: Medium
Date : 2021-07-20
CVE-ID : CVE-2021-32773
Package : racket
Type : sandbox escape
Remote : Yes
Link : https://security.archlinux.org/AVG-2175
Summary
The package racket before version 8.2-1 is vulnerable to sandbox
escape.
Resolution
Upgrade to 8.2-1.
pacman -Syu “racket>=8.2-1”
The problem has been fixed upstream in version 8.2.
Workaround
None.
Description
In Racket versions prior to 8.2, code evaluated using the Racket
sandbox could cause system modules to incorrectly use attacker-created
modules instead of their intended dependencies. This could allow system
functions to be controlled by the attacker, giving access to facilities
intended to be restricted.
Impact
Code executed in the Racket sandbox could escape its confinement
through attacker-created modules.
References
https://github.com/racket/racket/security/advisories/GHSA-cgrw-p7p7-937c
https://github.com/racket/racket/commit/9877b84eaadd14e54e555b9f0ac8d784474795ce
https://security.archlinux.org/CVE-2021-32773
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
32.5%