DirectorySecurity Advisories
Sign In
Security Advisories

CGA-929r-p9c9-q7pp

Published

Last updated

https://images.chainguard.dev/security/CGA-929r-p9c9-q7pp
Package

zed

Latest Update
Fixed
Fixed Version

0.159.10-r1

Aliases
  • CVE-2024-51756
  • GHSA-hxf5-99xg-86hw

Severity

0.0

Unknown

CVSS V4

Summary

cap-std doesn't fully sandbox all the Windows device filenames

Description

Impact

cap-std's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use superscript digits, such as "COM¹", "COM²", "LPT⁰", "LPT¹", and so on. Untrusted filesystem paths could bypass the sandbox and access devices through those special device filenames with superscript digits, and through them provide access peripheral devices connected to the computer, or network resources mapped to those devices. This can include modems, printers, network printers, and any other device connected to a serial or parallel port, including emulated USB serial ports.

Patches

The bug is fixed in https://github.com/bytecodealliance/cap-std/pull/371, which is published in cap-primitives 3.4.1, cap-std 3.4.1, and cap-async-std 3.4.1.

Workarounds

There are no known workarounds for this issue. Affected Windows users are recommended to upgrade.

References

References

Updates


Safe Source for Open Source™
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images