#VU100035 Incomplete list of disallowed inputs in Wasmtime - CVE-2024-51745

Cybersecurity Help s.r.o.

Published: 2024-11-07

Vulnerability identifier: #VU100035

Vulnerability risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-51745

CWE-ID: CWE-184

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Wasmtime
Web applications / Modules and components for CMS

Vendor: Bytecode Alliance

Description

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to improper validation of superscript digits in the device filenames when restricting access to them. A local user can bypass implemented sandbox restrictions and access devices through those special device filenames.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Wasmtime: 20.0.0 - 26.0.0

External links
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-c2f5-jxjv-2hh8
https://github.com/bytecodealliance/cap-std/pull/371
https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.2
https://github.com/bytecodealliance/wasmtime/releases/tag/v26.0.1
https://github.com/bytecodealliance/wasmtime/releases/tag/v25.0.3

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Security restrictions bypass in Wasmtime