Vulnerability-Lookup

rustsec-2024-0438

Vulnerability from osv_rustsec

Published

2024-11-02 12:00

Modified

2025-05-02 08:23

Summary

Wasmtime doesn't fully sandbox all the Windows device filenames

Details

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-c2f5-jxjv-2hh8. For more information see the GitHub-hosted security advisory.

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "categories": [],
        "cvss": null,
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime",
        "purl": "pkg:cargo/wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "24.0.2"
            },
            {
              "introduced": "25.0.0"
            },
            {
              "fixed": "25.0.3"
            },
            {
              "introduced": "26.0.0"
            },
            {
              "fixed": "26.0.1"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2024-51745",
    "GHSA-c2f5-jxjv-2hh8"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "This is an entry in the RustSec database for the Wasmtime security advisory\nlocated at\nhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-c2f5-jxjv-2hh8.\nFor more information see the GitHub-hosted security advisory.",
  "id": "RUSTSEC-2024-0438",
  "modified": "2025-05-02T08:23:27Z",
  "published": "2024-11-02T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/wasmtime"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0438.html"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-c2f5-jxjv-2hh8"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "Wasmtime doesn\u0027t fully sandbox all the Windows device filenames"
}

GHSA-C2F5-JXJV-2HH8

Vulnerability from github – Published: 2024-11-05 22:18 – Updated: 2025-05-02 12:53

Summary

Wasmtime doesn't fully sandbox all the Windows device filenames

Details

Impact

Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use superscript digits, such as "COM¹", "COM²", "LPT⁰", "LPT¹", and so on. Untrusted Wasm programs that are given access to any filesystem directory could bypass the sandbox and access devices through those special device filenames with superscript digits, and through them gain access peripheral devices connected to the computer, or network resources mapped to those devices. This can include modems, printers, network printers, and any other device connected to a serial or parallel port, including emulated USB serial ports.

Patches

Patch releases for Wasmtime have been issued as 24.0.2, 25.0.3, and 26.0.1. Users of Wasmtime 23.0.x and prior are recommended to upgrade to one of these patched versions.

Workarounds

There are no known workarounds for this issue. Affected Windows users are recommended to upgrade.

References

Microsoft's documentation of the special device filenames
ISO-8859-1
The original PR reporting the issue

Severity ?

2.3 (Low)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "24.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "25.0.0"
            },
            {
              "fixed": "25.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "26.0.0"
            },
            {
              "fixed": "26.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "26.0.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-51745"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184",
      "CWE-67"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-05T22:18:49Z",
    "nvd_published_at": "2024-11-05T22:15:21Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nWasmtime\u0027s filesystem sandbox implementation on Windows blocks access to special device filenames such as \"COM1\", \"COM2\", \"LPT0\", \"LPT1\", and so on, however it did not block access to the special device filenames which use superscript digits, such as \"COM\u00b9\", \"COM\u00b2\", \"LPT\u2070\", \"LPT\u00b9\", and so on. Untrusted Wasm programs that are given access to any filesystem directory could bypass the sandbox and access devices through those special device filenames with superscript digits, and through them gain access peripheral devices connected to the computer, or network resources mapped to those devices. This can include modems, printers, network printers, and any other device connected to a serial or parallel port, including emulated USB serial ports.\n\n### Patches\n\nPatch releases for Wasmtime have been issued as 24.0.2, 25.0.3, and 26.0.1. Users of Wasmtime 23.0.x and prior are recommended to upgrade to one of these patched versions.\n\n### Workarounds\n\nThere are no known workarounds for this issue. Affected Windows users are recommended to upgrade.\n\n### References\n\n - [Microsoft\u0027s documentation](https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-file#naming-conventions) of the special device filenames\n - [ISO-8859-1](https://en.wikipedia.org/wiki/ISO/IEC_8859-1)\n - [The original PR reporting the issue](https://github.com/bytecodealliance/cap-std/pull/371)",
  "id": "GHSA-c2f5-jxjv-2hh8",
  "modified": "2025-05-02T12:53:57Z",
  "published": "2024-11-05T22:18:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-c2f5-jxjv-2hh8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51745"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bytecodealliance/cap-std/pull/371"
    },
    {
      "type": "WEB",
      "url": "https://en.wikipedia.org/wiki/ISO/IEC_8859-1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bytecodealliance/wasmtime"
    },
    {
      "type": "WEB",
      "url": "https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-file#naming-conventions"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0438.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Wasmtime doesn\u0027t fully sandbox all the Windows device filenames"
}

CVE-2024-51745 (GCVE-0-2024-51745)

Vulnerability from cvelistv5 – Published: 2024-11-05 21:09 – Updated: 2024-11-05 21:28

Title

Wasmtime doesn't fully sandbox all the Windows device filenames

Summary

Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use superscript digits, such as "COM¹", "COM²", "LPT⁰", "LPT¹", and so on. Untrusted Wasm programs that are given access to any filesystem directory could bypass the sandbox and access devices through those special device filenames with superscript digits, and through them gain access peripheral devices connected to the computer, or network resources mapped to those devices. This can include modems, printers, network printers, and any other device connected to a serial or parallel port, including emulated USB serial ports. Patch releases for Wasmtime have been issued as 24.0.2, 25.0.3, and 26.0.1. Users of Wasmtime 23.0.x and prior are recommended to upgrade to one of these patched versions. There are no known workarounds for this issue. Affected Windows users are recommended to upgrade.

Severity ?

2.3 (Low)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

CWE

CWE-67 - Improper Handling of Windows Device Names
CWE-184 - Incomplete List of Disallowed Inputs

Assigner

GitHub_M

References

URL

Tags

	https://github.com/bytecodealliance/wasmtime/secu…	x_refsource_CONFIRM
	https://github.com/bytecodealliance/cap-std/pull/371	x_refsource_MISC
	https://en.wikipedia.org/wiki/ISO/IEC_8859-1	x_refsource_MISC
	https://learn.microsoft.com/en-us/windows/win32/f…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	bytecodealliance	wasmtime	Affected: < 24.0.2 Affected: >= 25.0.0, < 25.0.3 Affected: = 26.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-51745",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-05T21:28:24.494004Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-05T21:28:34.001Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wasmtime",
          "vendor": "bytecodealliance",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 24.0.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 25.0.0, \u003c 25.0.3"
            },
            {
              "status": "affected",
              "version": "= 26.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime\u0027s filesystem sandbox implementation on Windows blocks access to special device filenames such as \"COM1\", \"COM2\", \"LPT0\", \"LPT1\", and so on, however it did not block access to the special device filenames which use superscript digits, such as \"COM\u00b9\", \"COM\u00b2\", \"LPT\u2070\", \"LPT\u00b9\", and so on. Untrusted Wasm programs that are given access to any filesystem directory could bypass the sandbox and access devices through those special device filenames with superscript digits, and through them gain access peripheral devices connected to the computer, or network resources mapped to those devices. This can include modems, printers, network printers, and any other device connected to a serial or parallel port, including emulated USB serial ports. Patch releases for Wasmtime have been issued as 24.0.2, 25.0.3, and 26.0.1. Users of Wasmtime 23.0.x and prior are recommended to upgrade to one of these patched versions. There are no known workarounds for this issue. Affected Windows users are recommended to upgrade."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-67",
              "description": "CWE-67: Improper Handling of Windows Device Names",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-184",
              "description": "CWE-184: Incomplete List of Disallowed Inputs",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-05T21:09:43.943Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-c2f5-jxjv-2hh8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-c2f5-jxjv-2hh8"
        },
        {
          "name": "https://github.com/bytecodealliance/cap-std/pull/371",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bytecodealliance/cap-std/pull/371"
        },
        {
          "name": "https://en.wikipedia.org/wiki/ISO/IEC_8859-1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://en.wikipedia.org/wiki/ISO/IEC_8859-1"
        },
        {
          "name": "https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-file#naming-conventions",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-file#naming-conventions"
        }
      ],
      "source": {
        "advisory": "GHSA-c2f5-jxjv-2hh8",
        "discovery": "UNKNOWN"
      },
      "title": "Wasmtime doesn\u0027t fully sandbox all the Windows device filenames"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-51745",
    "datePublished": "2024-11-05T21:09:43.943Z",
    "dateReserved": "2024-10-31T14:12:45.790Z",
    "dateUpdated": "2024-11-05T21:28:34.001Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

rustsec-2024-0438

Vulnerability from osv_rustsec

GHSA-C2F5-JXJV-2HH8

Impact

Patches

Workarounds

References

CVE-2024-51745 (GCVE-0-2024-51745)

Tags

Sightings

Nomenclature