#VU75586 Reliance on undefined behavior in Wasmtime - CVE-2023-30624

Cybersecurity Help s.r.o.

Published: 2023-04-28

Vulnerability identifier: #VU75586

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-30624

CWE-ID: CWE-758

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Wasmtime
Web applications / Modules and components for CMS

Vendor: Bytecode Alliance

Description

The vulnerability allows a remote attacker to influence application's behavior.

The vulnerability exists due to LLVM-level undefined behavior when managing per-instance state. A remote attacker can leverage this vulnerability to cause runtime-level issues when compiled with LLVM 16, which can influence application behavior.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Wasmtime: 6.0.0 - 8.0.0

External links
https://github.com/bytecodealliance/wasmtime/commit/0977952dcd9d482bff7c288868ccb52769b3a92e
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-ch89-5g45-qwc7

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Amazon Linux AMI update for ecs-service-connect-agent

Multiple vulnerabilities in envoy

Reliance on undefined behavior in Wasmtime