CVE-2021-42762 — MEDIUM (5.3)

Q: How severe is CVE-2021-42762?

CVE-2021-42762 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-42762?

Check the references section above for vendor advisories and patch information. Affected products include: Webkitgtk Webkitgtk, Wpewebkit Wpe Webkit, Fedoraproject Fedora, Debian Debian Linux.

Vulnerability Description

BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox, by abusing VFS syscalls that manipulate its filesystem namespace. The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox, and the sandboxed process remains otherwise confined. NOTE: this is similar to CVE-2021-41133.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Webkitgtk	Webkitgtk	< 2.34.1
Wpewebkit	Wpe Webkit	< 2.34.1
Fedoraproject	Fedora	33
Debian	Debian Linux	10.0

References

http://www.openwall.com/lists/oss-security/2021/10/26/9Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2021/10/27/1Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2021/10/27/2Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2021/10/27/4Mailing ListThird Party Advisory
https://bugs.webkit.org/show_bug.cgi?id=231479ExploitIssue TrackingVendor Advisory
https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4qThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://www.debian.org/security/2021/dsa-4995Third Party Advisory
https://www.debian.org/security/2021/dsa-4996Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/10/26/9Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2021/10/27/1Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2021/10/27/2Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2021/10/27/4Mailing ListThird Party Advisory

FAQ

What is CVE-2021-42762?

CVE-2021-42762 is a vulnerability with a CVSS score of 5.3 (MEDIUM). BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not conf...

How severe is CVE-2021-42762?

CVE-2021-42762 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-42762?

Check the references section above for vendor advisories and patch information. Affected products include: Webkitgtk Webkitgtk, Wpewebkit Wpe Webkit, Fedoraproject Fedora, Debian Debian Linux.