CVE-2020-13753 — CRITICAL (10.0)

Q: How severe is CVE-2020-13753?

CVE-2020-13753 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2020-13753?

Check the references section above for vendor advisories and patch information. Affected products include: Webkitgtk Webkitgtk, Wpewebkit Wpe Webkit, Fedoraproject Fedora, Debian Debian Linux, Canonical Ubuntu Linux.

Vulnerability Description

The bubblewrap sandbox of WebKitGTK and WPE WebKit, prior to 2.28.3, failed to properly block access to CLONE_NEWUSER and the TIOCSTI ioctl. CLONE_NEWUSER could potentially be used to confuse xdg-desktop-portal, which allows access outside the sandbox. TIOCSTI can be used to directly execute commands outside the sandbox by writing to the controlling terminal's input buffer, similar to CVE-2017-5226.

CVSS Score

10.0

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Webkitgtk	Webkitgtk	< 2.28.3
Wpewebkit	Wpe Webkit	< 2.28.3
Fedoraproject	Fedora	31
Debian	Debian Linux	10.0
Canonical	Ubuntu Linux	18.04
Opensuse	Leap	15.1

Related Weaknesses (CWE)

CWE-20

References

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00074.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202007-11Third Party Advisory
https://trac.webkit.org/changeset/262368/webkitPatchVendor Advisory
https://usn.ubuntu.com/4422-1/Third Party Advisory
https://www.debian.org/security/2020/dsa-4724Third Party Advisory
https://www.openwall.com/lists/oss-security/2020/07/10/1Mailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00074.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202007-11Third Party Advisory
https://trac.webkit.org/changeset/262368/webkitPatchVendor Advisory
https://usn.ubuntu.com/4422-1/Third Party Advisory
https://www.debian.org/security/2020/dsa-4724Third Party Advisory
https://www.openwall.com/lists/oss-security/2020/07/10/1Mailing ListThird Party Advisory

FAQ

What is CVE-2020-13753?

CVE-2020-13753 is a vulnerability with a CVSS score of 10.0 (CRITICAL). The bubblewrap sandbox of WebKitGTK and WPE WebKit, prior to 2.28.3, failed to properly block access to CLONE_NEWUSER and the TIOCSTI ioctl. CLONE_NEWUSER could potentially be used to confuse xdg-desk...

How severe is CVE-2020-13753?

CVE-2020-13753 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2020-13753?

Check the references section above for vendor advisories and patch information. Affected products include: Webkitgtk Webkitgtk, Wpewebkit Wpe Webkit, Fedoraproject Fedora, Debian Debian Linux, Canonical Ubuntu Linux.