Wasmtime CLI is vulnerable to host panic through its fd_renumber function

Summary A bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host embedder. The specific bug is triggered by calling pathopen after calling fdrenumber with either: - two equal argument values - second argument being equal...

crypt_guard (>=0.1.4 <=1.3.6), crypt_guard_kyber (>=0.1.1 <=0.1.2) +14 more potentially affected by unknown CVE via pqcrypto-kyber (>=0.1.2 <=0.8.1)

pqcrypto-kyber CARGO version =0.1.2, =0.1.4, =0.1.1, =0.1.0, =0.0.1, =0.1.0, =0.7.0-alpha1, =0.1.2, =0.1.0, =0.23.0, =0.35.3 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2024-0381...

deterministic-wasi-ctx (=0.1.3), enarx (>=0.5.0 <=0.5.1) +8 more potentially affected by CVE-2022-31146 via wasmtime (=0.37.0)

wasmtime CARGO version =0.37.0 is affected by a known vulnerability. The following packages have a transitive dependency on wasmtime and may be impacted: - deterministic-wasi-ctx =0.1.3 - enarx =0.5.0, =0.5.1 - enarx-exec-wasmtime =0.5.1 - wasi-tokio =0.37.0 - wasmtime-cli-flags =0.37.0 -...

wasmtime-cli (>=0.35.0 <=0.35.1) potentially affected by CVE-2022-24791 via wasmtime (>=0.35.0 <=0.35.1)

wasmtime CARGO version =0.35.0, =0.35.0, =0.35.1 Source cves: CVE-2022-24791 Source advisory: OSV:GHSA-GWC9-348X-QWV2...

wasmtime-cli (>=0.34.0 <=0.34.1) potentially affected by CVE-2022-24791 via wasmtime (>=0.34.0 <=0.34.1)

wasmtime CARGO version =0.34.0, =0.34.0, =0.34.1 Source cves: CVE-2022-24791 Source advisory: OSV:RUSTSEC-2022-0016...

wasmtime-cli (=0.34.0) potentially affected by CVE-2022-23636 +1 more via wasmtime (=0.34.0)

wasmtime CARGO version =0.34.0 is affected by a known vulnerability. The following packages have a transitive dependency on wasmtime and may be impacted: - wasmtime-cli =0.34.0 Source cves: CVE-2022-23636, CVE-2022-31169 Source advisory: OSV:RUSTSEC-2022-0096...

wasmtime-cli (=0.34.0) potentially affected by CVE-2022-23636 +1 more via wasmtime (=0.34.0)

wasmtime CARGO version =0.34.0 is affected by a known vulnerability. The following packages have a transitive dependency on wasmtime and may be impacted: - wasmtime-cli =0.34.0 Source cves: CVE-2022-23636, CVE-2022-31169 Source advisory: OSV:GHSA-88XQ-W8CQ-XFG7...