{"containers": {"cna": {"affected": [{"product": "bubblewrap", "vendor": "containers", "versions": [{"status": "affected", "version": "< 0.4.1"}]}], "descriptions": [{"lang": "en", "value": "Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces. Known to be affected are: * Debian testing/unstable, if unprivileged user namespaces enabled (not default) * Debian buster-backports, if unprivileged user namespaces enabled (not default) * Arch if using `linux-hardened`, if unprivileged user namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged user namespaces enabled (not default) This has been fixed in the 0.4.1 release, and all affected users should update."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-648", "description": "CWE-648: Incorrect Use of Privileged APIs", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-03-31T18:00:18", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240"}], "source": {"advisory": "GHSA-j2qp-rvxj-43vj", "discovery": "UNKNOWN"}, "title": "Privilege escalation in setuid mode via user namespaces in Bubblewrap", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-5291", "STATE": "PUBLIC", "TITLE": "Privilege escalation in setuid mode via user namespaces in Bubblewrap"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "bubblewrap", "version": {"version_data": [{"version_value": "< 0.4.1"}]}}]}, "vendor_name": "containers"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces. Known to be affected are: * Debian testing/unstable, if unprivileged user namespaces enabled (not default) * Debian buster-backports, if unprivileged user namespaces enabled (not default) * Arch if using `linux-hardened`, if unprivileged user namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged user namespaces enabled (not default) This has been fixed in the 0.4.1 release, and all affected users should update."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-648: Incorrect Use of Privileged APIs"}]}]}, "references": {"reference_data": [{"name": "https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj", "refsource": "CONFIRM", "url": "https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj"}, {"name": "https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240", "refsource": "MISC", "url": "https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240"}]}, "source": {"advisory": "GHSA-j2qp-rvxj-43vj", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:22:09.099Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-5291", "datePublished": "2020-03-31T18:00:18", "dateReserved": "2020-01-02T00:00:00", "dateUpdated": "2024-08-04T08:22:09.099Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:projectatomic:bubblewrap:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D233A96-9C6A-4463-BCF3-2ADB5566FD55", "versionEndExcluding": "0.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:archlinux:arch_linux:-:*:*:*:*:*:*:*", "matchCriteriaId": "4824AE2D-462B-477D-9206-3E2090A32146", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:centos:centos:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "5FE22A5C-1B9B-4CEB-B0E3-23B628CBBF58", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces. Known to be affected are: * Debian testing/unstable, if unprivileged user namespaces enabled (not default) * Debian buster-backports, if unprivileged user namespaces enabled (not default) * Arch if using `linux-hardened`, if unprivileged user namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged user namespaces enabled (not default) This has been fixed in the 0.4.1 release, and all affected users should update."}, {"lang": "es", "value": "Bubblewrap (bwrap) versiones anteriores a 0.4.1, si se instal\u00f3 en modo setuid y el kernel admite espacios de nombres (namespaces) de usuario no privilegiados, entonces la opci\u00f3n \"bwrap --userns2\" puede ser usada para hacer que el proceso setuid contin\u00fae ejecut\u00e1ndose como root mientras es rastreable. Esto a su vez puede ser usado para conseguir permisos root. Tome en cuenta que esto solo afecta a la combinaci\u00f3n de bubblewrap en modo setuid (que t\u00edpicamente es usado cuando no se admiten espacios de nombres de usuario sin privilegios) y la compatibilidad de los espacios de nombres (namespaces) de un usuario no privilegiado. Se conoce que los que est\u00e1n afectados son: * Debian testing/unstable, si los espacios de nombres de un usuario no privilegiado est\u00e1n habilitados (no predeterminados) * Debian buster-backports, si los espacios de nombres de un usuario no privilegiado est\u00e1n habilitados (no predeterminados) * Arch si se usa \"linux-hardened\", si los espacios de nombres de un usuario no privilegiado est\u00e1n habilitados (no predeterminado) * Centos 7 flatpak COPR, si los espacios de nombres de un usuario no privilegiado est\u00e1n habilitados (no predeterminado) Esto ha sido corregido en la versi\u00f3n 0.4.1, y todos los usuarios afectados deben actualizar."}], "id": "CVE-2020-5291", "lastModified": "2020-04-02T17:33:31.197", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 8.5, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-03-31T18:15:26.963", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-648"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "bubblewrap: privilege escalation in some kernel configurations", "id": "1823504", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1823504"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-648", "details": ["Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces. Known to be affected are: * Debian testing/unstable, if unprivileged user namespaces enabled (not default) * Debian buster-backports, if unprivileged user namespaces enabled (not default) * Arch if using `linux-hardened`, if unprivileged user namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged user namespaces enabled (not default) This has been fixed in the 0.4.1 release, and all affected users should update."], "name": "CVE-2020-5291", "package_state": [{"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Not affected", "impact": "moderate", "package_name": "bubblewrap", "product_name": "CloudForms Management Engine 5"}, {"cpe": "cpe:/a:redhat:ansible_tower:3", "fix_state": "Not affected", "impact": "low", "package_name": "bubblewrap", "product_name": "Red Hat Ansible Tower 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "bubblewrap", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2020-03-31T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-5291\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-5291"], "statement": "Red Hat CloudForms 5.10 uses vulnerable bubblewrap package, however 5.11 is not vulnerable to this flaw. CloudForms may update bubblewrap in future.\nRed Hat Ansible Tower is not vulnerable, as it uses 0.3.3 bubblewrap package version, only bubblewrap 0.4.0 package version is affected.\nThe version of bubblewrap package as shipped with Red Hat Enterprise Linux 8 is not affected by this issue. Although we have the affected code, Red Hat Enterprise Linux 8 bubblewrap doesn't use the setuid mechanism for privilege escalation, which is the attack vector for this issue, but capabilities instead. Red Hat Enterprise Linux's bubblewrap may be update in the future to a version\nwhich includes the fix.", "threat_severity": "Moderate"}