Today > | 4 Medium | 2 Low vulnerabilities   -   You can now download lists of IOCs here!

CVE-2024-51745

Nov. 21, 2024, 9:45 a.m.

Product(s) Impacted

Wasmtime

  • 24.0.2
  • 25.0.3
  • 26.0.1

Description

Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use superscript digits, such as "COM¹", "COM²", "LPT⁰", "LPT¹", and so on. Untrusted Wasm programs that are given access to any filesystem directory could bypass the sandbox and access devices through those special device filenames with superscript digits, and through them gain access peripheral devices connected to the computer, or network resources mapped to those devices. This can include modems, printers, network printers, and any other device connected to a serial or parallel port, including emulated USB serial ports. Patch releases for Wasmtime have been issued as 24.0.2, 25.0.3, and 26.0.1. Users of Wasmtime 23.0.x and prior are recommended to upgrade to one of these patched versions. There are no known workarounds for this issue. Affected Windows users are recommended to upgrade.

Weaknesses

CWE-184
Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.

CWE ID: 184
CWE-67
Improper Handling of Windows Device Names

The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.

CWE ID: 67

Date

Published: Nov. 5, 2024, 10:15 p.m.

Last Modified: Nov. 21, 2024, 9:45 a.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

References

https://en.wikipedia.org/ security-advisories@github.com

https://github.com/ security-advisories@github.com

https://github.com/ security-advisories@github.com

https://learn.microsoft.com/ security-advisories@github.com