SUSE update for webkit2gtk3
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2021-42762 |
| CWE-ID | CWE-264 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
SUSE Linux Enterprise Module for Desktop Applications Operating systems & Components / Operating system SUSE Linux Enterprise Module for Basesystem Operating systems & Components / Operating system libwebkit2gtk3-lang Operating systems & Components / Operating system package or component webkit2gtk-4_0-injected-bundles-debuginfo Operating systems & Components / Operating system package or component webkit2gtk-4_0-injected-bundles Operating systems & Components / Operating system package or component libwebkit2gtk-4_0-37-debuginfo Operating systems & Components / Operating system package or component libwebkit2gtk-4_0-37 Operating systems & Components / Operating system package or component libjavascriptcoregtk-4_0-18-debuginfo Operating systems & Components / Operating system package or component libjavascriptcoregtk-4_0-18 Operating systems & Components / Operating system package or component webkit2gtk3-devel Operating systems & Components / Operating system package or component webkit2gtk3-debugsource Operating systems & Components / Operating system package or component typelib-1_0-WebKit2WebExtension-4_0 Operating systems & Components / Operating system package or component typelib-1_0-WebKit2-4_0 Operating systems & Components / Operating system package or component typelib-1_0-JavaScriptCore-4_0 Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Security restrictions bypass
EUVDB-ID: #VU57811
Risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-42762
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists in BubblewrapLauncher.cpp due to application allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox. A local user can abuse the VFS syscalls that manipulate its filesystem namespace and bypass implemented security restrictions. The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox, and the sandboxed process remains otherwise confined.
MitigationUpdate the affected package webkit2gtk3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Desktop Applications: 15-SP2 - 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP2 - 15-SP3
libwebkit2gtk3-lang: before 2.32.4-15.1
webkit2gtk-4_0-injected-bundles-debuginfo: before 2.32.4-15.1
webkit2gtk-4_0-injected-bundles: before 2.32.4-15.1
libwebkit2gtk-4_0-37-debuginfo: before 2.32.4-15.1
libwebkit2gtk-4_0-37: before 2.32.4-15.1
libjavascriptcoregtk-4_0-18-debuginfo: before 2.32.4-15.1
libjavascriptcoregtk-4_0-18: before 2.32.4-15.1
webkit2gtk3-devel: before 2.32.4-15.1
webkit2gtk3-debugsource: before 2.32.4-15.1
typelib-1_0-WebKit2WebExtension-4_0: before 2.32.4-15.1
typelib-1_0-WebKit2-4_0: before 2.32.4-15.1
typelib-1_0-JavaScriptCore-4_0: before 2.32.4-15.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_module_for_desktop_applications:15-SP2:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_module_for_desktop_applications:15-SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_module_for_basesystem:15-SP2:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_module_for_basesystem:15-SP3:*:*:*:*:*:*:*
- cpe:2.3:a:suse:libwebkit2gtk3-lang:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:webkit2gtk-4_0-injected-bundles-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:webkit2gtk-4_0-injected-bundles:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libwebkit2gtk-4_0-37-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libwebkit2gtk-4_0-37:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libjavascriptcoregtk-4_0-18-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libjavascriptcoregtk-4_0-18:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:webkit2gtk3-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:webkit2gtk3-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:typelib-1_0-webkit2webextension-4_0:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:typelib-1_0-webkit2-4_0:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:typelib-1_0-javascriptcore-4_0:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2021/suse-su-20213603-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
