util-linuxv2.36: 2 vulnerabilities (highest severity is: 5.5)
Closed this issue · 0 comments
Vulnerable Library - util-linuxv2.36
Library home page: https://github.com/karelzak/util-linux.git
Vulnerable Source Files (2)
/deps/util-linux.tar/util-linux/libmount/src/context_umount.c
/deps/util-linux.tar/util-linux/libmount/src/optstr.c
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-3996 | Medium | 5.5 | util-linuxv2.36 | Direct | v2.37.3 | ❌ |
CVE-2021-3995 | Medium | 4.7 | util-linuxv2.36 | Direct | v2.37.3 | ❌ |
Details
CVE-2021-3996
Vulnerable Library - util-linuxv2.36
Library home page: https://github.com/karelzak/util-linux.git
Found in base branch: master
Vulnerable Source Files (1)
/deps/util-linux.tar/util-linux/libmount/src/tab_parse.c
Vulnerability Details
A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows a local user on a vulnerable system to unmount other users' filesystems that are either world-writable themselves (like /tmp) or mounted in a world-writable directory. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.
Publish Date: 2021-11-22
URL: CVE-2021-3996
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2021-3996
Release Date: 2021-11-22
Fix Resolution: v2.37.3
CVE-2021-3995
Vulnerable Library - util-linuxv2.36
Library home page: https://github.com/karelzak/util-linux.git
Found in base branch: master
Vulnerable Source Files (2)
/deps/util-linux.tar/util-linux/libmount/src/context_umount.c
/deps/util-linux.tar/util-linux/libmount/src/optstr.c
Vulnerability Details
A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows an unprivileged local attacker to unmount FUSE filesystems that belong to certain other users who have a UID that is a prefix of the UID of the attacker in its string form. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.
Publish Date: 2021-11-22
URL: CVE-2021-3995
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2021-3995
Release Date: 2021-11-22
Fix Resolution: v2.37.3