Security restrictions bypass in Bubblewrap
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2017-5226 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Bubblewrap Server applications / Other server solutions |
| Vendor | Project Atomic |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Input validation error
EUVDB-ID: #VU73856
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5226
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input. The non-privileged session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the sandbox.
MitigationInstall updates from vendor's website.
Vulnerable software versionsBubblewrap: 0.1.0 - 0.1.4
External linkshttp://github.com/projectatomic/bubblewrap/issues/142
http://github.com/projectatomic/bubblewrap/commit/d7fc532c42f0e9bf427923bab85433282b3e5117
http://bugzilla.redhat.com/show_bug.cgi?id=1411811
http://www.securityfocus.com/bid/97260
http://www.openwall.com/lists/oss-security/2020/07/10/1
http://www.openwall.com/lists/oss-security/2023/03/14/2
http://www.openwall.com/lists/oss-security/2023/03/17/1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
