Firejail before 0.9.64.4 allows attackers to bypass intended access restrictions because there is a TOCTOU race condition between a stat operation and an OverlayFS mount operation.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2021/02/09/1 | Exploit Mailing List Patch Third Party Advisory |
https://github.com/netblue30/firejail/commit/97d8a03cad19501f017587cc4e47d8418273834b | Patch Third Party Advisory |
https://github.com/netblue30/firejail/releases/tag/0.9.64.4 | Release Notes Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2021/02/msg00015.html | Third Party Advisory |
https://security.gentoo.org/glsa/202105-19 | Third Party Advisory |
https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/ | Exploit Third Party Advisory |
https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt | Exploit Third Party Advisory |
https://www.debian.org/security/2021/dsa-4849 | Third Party Advisory |
Configurations
History
23 May 2022, 22:01
Type | Values Removed | Values Added |
---|---|---|
References | (GENTOO) https://security.gentoo.org/glsa/202105-19 - Third Party Advisory |
26 May 2021, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
16 Feb 2021, 16:19
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 6.9
v3 : 7.0 |
CWE | CWE-367 | |
CPE | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* cpe:2.3:a:firejail_project:firejail:*:*:*:*:*:*:*:* |
|
References | (MISC) https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt - Exploit, Third Party Advisory | |
References | (DEBIAN) https://www.debian.org/security/2021/dsa-4849 - Third Party Advisory | |
References | (MLIST) http://www.openwall.com/lists/oss-security/2021/02/09/1 - Exploit, Mailing List, Patch, Third Party Advisory | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2021/02/msg00015.html - Third Party Advisory | |
References | (MISC) https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/ - Exploit, Third Party Advisory | |
References | (MISC) https://github.com/netblue30/firejail/releases/tag/0.9.64.4 - Release Notes, Third Party Advisory | |
References | (MISC) https://github.com/netblue30/firejail/commit/97d8a03cad19501f017587cc4e47d8418273834b - Patch, Third Party Advisory |
11 Feb 2021, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
10 Feb 2021, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
09 Feb 2021, 10:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
08 Feb 2021, 20:47
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-02-08 20:15
Updated : 2023-12-10 13:41
NVD link : CVE-2021-26910
Mitre link : CVE-2021-26910
CVE.ORG link : CVE-2021-26910
JSON object : View
Products Affected
debian
- debian_linux
firejail_project
- firejail
CWE
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition