{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-5557", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-10-12T14:29:58.509Z", "datePublished": "2023-10-13T01:41:45.366Z", "dateUpdated": "2024-09-16T16:13:51.972Z"}, "containers": {"cna": {"title": "Tracker-miners: sandbox escape", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the tracker-miners package. A weakness in the sandbox allows a maliciously-crafted file to execute code outside the sandbox if the tracker-extract process has first been compromised by a separate vulnerability."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "tracker-miners", "defaultStatus": "affected", "versions": [{"version": "0:2.1.5-2.el8_9.1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "tracker-miners", "defaultStatus": "affected", "versions": [{"version": "0:2.1.5-2.el8_2.1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/a:redhat:rhel_e4s:8.2::appstream", "cpe:/a:redhat:rhel_tus:8.2::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "tracker-miners", "defaultStatus": "affected", "versions": [{"version": "0:2.1.5-2.el8_2.1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/a:redhat:rhel_e4s:8.2::appstream", "cpe:/a:redhat:rhel_tus:8.2::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "tracker-miners", "defaultStatus": "affected", "versions": [{"version": "0:2.1.5-2.el8_2.1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/a:redhat:rhel_e4s:8.2::appstream", "cpe:/a:redhat:rhel_tus:8.2::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "tracker-miners", "defaultStatus": "affected", "versions": [{"version": "0:2.1.5-2.el8_4.1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_e4s:8.4::appstream", "cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_tus:8.4::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "tracker-miners", "defaultStatus": "affected", "versions": [{"version": "0:2.1.5-2.el8_4.1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_e4s:8.4::appstream", "cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_tus:8.4::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "tracker-miners", "defaultStatus": "affected", "versions": [{"version": "0:2.1.5-2.el8_4.1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_e4s:8.4::appstream", "cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_tus:8.4::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.6 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "tracker-miners", "defaultStatus": "affected", "versions": [{"version": "0:2.1.5-2.el8_6.1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_eus:8.6::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.8 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "tracker-miners", "defaultStatus": "affected", "versions": [{"version": "0:2.1.5-2.el8_8.1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_eus:8.8::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "tracker-miners", "defaultStatus": "affected", "versions": [{"version": "0:3.1.2-4.el9_3", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.0 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "tracker-miners", "defaultStatus": "affected", "versions": [{"version": "0:3.1.2-2.el9_0", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_eus:9.0::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.2 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "tracker-miners", "defaultStatus": "affected", "versions": [{"version": "0:3.1.2-4.el9_2", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_eus:9.2::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "tracker-miners", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:7712", "name": "RHSA-2023:7712", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7713", "name": "RHSA-2023:7713", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7730", "name": "RHSA-2023:7730", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7731", "name": "RHSA-2023:7731", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7732", "name": "RHSA-2023:7732", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7733", "name": "RHSA-2023:7733", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7739", "name": "RHSA-2023:7739", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7744", "name": "RHSA-2023:7744", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-5557", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243096", "name": "RHBZ#2243096", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2023-09-26T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-693", "description": "Protection Mechanism Failure", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-693: Protection Mechanism Failure", "timeline": [{"lang": "en", "time": "2023-10-10T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-09-26T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-09-16T16:13:51.972Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:59:44.858Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:7712", "name": "RHSA-2023:7712", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7713", "name": "RHSA-2023:7713", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7730", "name": "RHSA-2023:7730", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7731", "name": "RHSA-2023:7731", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7732", "name": "RHSA-2023:7732", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7733", "name": "RHSA-2023:7733", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7739", "name": "RHSA-2023:7739", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7744", "name": "RHSA-2023:7744", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-5557", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243096", "name": "RHBZ#2243096", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnome:tracker_miners:*:*:*:*:*:*:*:*", "matchCriteriaId": "6A427232-258E-490A-9302-48D4F2E09BA2", "versionEndExcluding": "3.3.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnome:tracker_miners:*:*:*:*:*:*:*:*", "matchCriteriaId": "032462FC-57CE-40D7-BABC-200E0823F143", "versionEndExcluding": "3.4.5", "versionStartIncluding": "3.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnome:tracker_miners:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5563BCA-BDDE-4B94-B063-04B87F145015", "versionEndExcluding": "3.5.3", "versionStartIncluding": "3.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnome:tracker_miners:*:*:*:*:*:*:*:*", "matchCriteriaId": "22F6C99E-72AE-46FA-AC47-36F1C9CF6186", "versionEndExcluding": "3.6.1", "versionStartIncluding": "3.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the tracker-miners package. A weakness in the sandbox allows a maliciously-crafted file to execute code outside the sandbox if the tracker-extract process has first been compromised by a separate vulnerability."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en el paquete tracker-miners. Una debilidad en la sandbox permite que un archivo creado con fines malintencionados ejecute c\u00f3digo fuera de la sandbox si el proceso de extracci\u00f3n del rastreador se ha visto comprometido primero por una vulnerabilidad separada."}], "id": "CVE-2023-5557", "lastModified": "2023-12-12T22:15:22.623", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.3, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2023-10-13T02:15:11.077", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2023:7712"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2023:7713"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2023:7730"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2023:7731"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2023:7732"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2023:7733"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2023:7739"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2023:7744"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-5557"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243096"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-693"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:7732", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "tracker-miners-0:2.1.5-2.el8_9.1", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-12-12T00:00:00Z"}, {"advisory": "RHSA-2023:7731", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "tracker-miners-0:2.1.5-2.el8_2.1", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2023-12-12T00:00:00Z"}, {"advisory": "RHSA-2023:7731", "cpe": "cpe:/a:redhat:rhel_tus:8.2", "package": "tracker-miners-0:2.1.5-2.el8_2.1", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2023-12-12T00:00:00Z"}, {"advisory": "RHSA-2023:7731", "cpe": "cpe:/a:redhat:rhel_e4s:8.2", "package": "tracker-miners-0:2.1.5-2.el8_2.1", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2023-12-12T00:00:00Z"}, {"advisory": "RHSA-2023:7739", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "tracker-miners-0:2.1.5-2.el8_4.1", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2023-12-12T00:00:00Z"}, {"advisory": "RHSA-2023:7739", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "tracker-miners-0:2.1.5-2.el8_4.1", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2023-12-12T00:00:00Z"}, {"advisory": "RHSA-2023:7739", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "tracker-miners-0:2.1.5-2.el8_4.1", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2023-12-12T00:00:00Z"}, {"advisory": "RHSA-2023:7733", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "tracker-miners-0:2.1.5-2.el8_6.1", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-12-12T00:00:00Z"}, {"advisory": "RHSA-2023:7730", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "tracker-miners-0:2.1.5-2.el8_8.1", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2023-12-12T00:00:00Z"}, {"advisory": "RHSA-2023:7712", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "tracker-miners-0:3.1.2-4.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-12-11T00:00:00Z"}, {"advisory": "RHSA-2023:7713", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "tracker-miners-0:3.1.2-2.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2023-12-11T00:00:00Z"}, {"advisory": "RHSA-2023:7744", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "tracker-miners-0:3.1.2-4.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2023-12-12T00:00:00Z"}], "bugzilla": {"description": "tracker-miners: sandbox escape", "id": "2243096", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243096"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L", "status": "verified"}, "cwe": "CWE-693", "details": ["A flaw was found in the tracker-miners package. A weakness in the sandbox allows a maliciously-crafted file to execute code outside the sandbox if the tracker-extract process has first been compromised by a separate vulnerability.", "A flaw was found in the tracker-miners package. A weakness in the sandbox allows a maliciously-crafted file to execute code outside the sandbox if the tracker-extract process has first been compromised by a separate vulnerability."], "name": "CVE-2023-5557", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "tracker-miners", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2023-09-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-5557\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-5557"], "statement": "Red Hat Enterprise Linux 7 is not affected as the tracker sandbox is not available.", "threat_severity": "Important", "upstream_fix": "tracker-miners 3.3.2, tracker-miners 3.4.5, tracker-miners 3.5.3, tracker-miners 3.6.1"}