PT-2024-27957 · Wasmer · Wasmer

Yagehu

Published

2024-06-07

Updated

2024-06-20

CVE-2024-38358

CVSS v3.1

2.9

Low

Vector

AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Wasmer versions prior to 4.3.2

Description The issue allows WASI programs to traverse a symlink and access the host filesystem if the caller sets both oflags::creat and rights::fd write. Programs can also crash the runtime by creating a symlink pointing outside with path symlink and path opening the link.

Recommendations For versions prior to 4.3.2, upgrade to release version 4.3.2 to address the issue. As a temporary workaround, consider restricting the use of path symlink and path open functions to minimize the risk of exploitation. Avoid using the oflags::creat and rights::fd write flags in the affected API endpoints until the issue is resolved.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2024-38358

GHSA-55F3-3QVG-8PV5

Affected Products

Wasmer

PT-2024-27957 · Wasmer · Wasmer

CVE-2024-38358

Weakness Enumeration

Related Identifiers

Affected Products

References · 8