Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU4djMtajc1aC14cjQ5
Improper Input Validation in libseccomp-golang
libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR multiple arguments rather than ANDing them. A process running under a restrictive seccomp filter that specified multiple syscall arguments could bypass intended access restrictions by specifying a single matching argument.
Permalink: https://github.com/advisories/GHSA-58v3-j75h-xr49JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU4djMtajc1aC14cjQ5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago
CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-58v3-j75h-xr49, CVE-2017-18367
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-18367
- https://github.com/seccomp/libseccomp-golang/issues/22
- https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e
- https://access.redhat.com/errata/RHSA-2019:4087
- https://access.redhat.com/errata/RHSA-2019:4090
- https://lists.debian.org/debian-lts-announce/2020/08/msg00016.html
- https://usn.ubuntu.com/4574-1/
- http://www.openwall.com/lists/oss-security/2019/04/25/6
- https://github.com/advisories/GHSA-58v3-j75h-xr49
Blast Radius: 20.5
Affected Packages
go:github.com/seccomp/libseccomp-golang
Dependent packages: 780Dependent repositories: 18,773
Downloads:
Affected Version Ranges: < 0.9.1
Fixed in: 0.9.1
All affected versions: 0.9.0
All unaffected versions: 0.9.1, 0.10.0