VDB
CVE-2024-38358
CVE-2024-38358
PUBLISHED
CVSS 2.9000000953674316 LOW
Wasmer is a web assembly (wasm) Runtime supporting WASIX, WASI and Emscripten. If the preopened directory has a symlink pointing outside, WASI programs can traverse the symlink and access host filesystem if the caller sets both `oflags::creat` and `rights::fd_write`. Programs can also crash the runtime by creating a symlink pointing outside with `path_symlink` and `path_open`ing the link. This issue has been addressed in commit `b9483d022` which has been included in release version 4.3.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
EPSS 0.10% · 28.1th percentile
Risk Scores
CVSS v3.1
2.9000000953674316
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score
0.10%
28.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| crates.io | wasmer | 0 |
| wasmer | wasmer | 0 |
| wasmerio | wasmer | < 4.3.2 |
Timeline
- Jan 21, 1970 Security Advisory
- Jun 7, 2024 CVE Published
- Jun 20, 2024 CVE Updated
- Jun 20, 2024 EPSS Score
- Jul 13, 2024 EPSS Score
- Aug 4, 2024 EPSS Score
- Aug 27, 2024 EPSS Score
- Sep 19, 2024 EPSS Score
- Oct 4, 2024 Coalition ESS Score
- Oct 11, 2024 EPSS Score
- Nov 3, 2024 EPSS Score
- Nov 26, 2024 EPSS Score