CVE-2020-13753

EPSS 1.43%
Published 14.07.2020 14:15:17
Last modified 21.11.2024 05:01:46
Source cve@mitre.org
Teams watchlist Login
Open Login

The bubblewrap sandbox of WebKitGTK and WPE WebKit, prior to 2.28.3, failed to properly block access to CLONE_NEWUSER and the TIOCSTI ioctl. CLONE_NEWUSER could potentially be used to confuse xdg-desktop-portal, which allows access outside the sandbox. TIOCSTI can be used to directly execute commands outside the sandbox by writing to the controlling terminal's input buffer, similar to CVE-2017-5226.

Affected products Warnungen 0 Metrics 3 CWE 1 References 10

Data is provided by the National Vulnerability Database (NVD)

Webkitgtk ≫ Webkitgtk Version < 2.28.3

Wpewebkit ≫ Wpe Webkit Version < 2.28.3

Fedoraproject ≫ Fedora Version31

Debian ≫ Debian Linux Version10.0

Canonical ≫ Ubuntu Linux Version18.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version19.10

Canonical ≫ Ubuntu Linux Version20.04 SwEditionlts

Opensuse ≫ Leap Version15.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.43%	0.801

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00074.html

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GER2ATKZXDHM7FFYJH67ZPNZZX5VOUVM/

https://security.gentoo.org/glsa/202007-11

Third Party Advisory

https://trac.webkit.org/changeset/262368/webkit

Patch

Vendor Advisory

https://usn.ubuntu.com/4422-1/

Third Party Advisory

https://www.debian.org/security/2020/dsa-4724