CVE-2019-12499 — Project Firejail vulnerability

7 documents6 sources

Severity

8.1HIGHNVD

EPSS

1.3%

top 19.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Firejail Project Firejail

Timeline

PublishedMay 31

Latest updateMay 24

Description

Firejail before 0.9.60 allows truncation (resizing to length 0) of the firejail binary on the host by running exploit code inside a firejail sandbox and having the sandbox terminated. To succeed, certain conditions need to be fulfilled: The jail (with the exploit code inside) needs to be started as root, and it also needs to be terminated as root from the host (either by stopping it ungracefully (e.g., SIGKILL), or by using the --shutdown control command). This is similar to CVE-2019-5736.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

▶NVDfirejail_project/firejail< 0.9.60

▶Debianfirejail_project/firejail< 0.9.58.2-2+3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-933r-r67f-x632: Firejail before 0↗2022-05-24

▶

OSV

CVE-2019-12499: Firejail before 0↗2019-05-31

▶

CVEList

CVE-2019-12499: Firejail before 0↗2019-05-31

▶

📋Vendor Advisories

Debian

CVE-2019-12499: firejail - Firejail before 0.9.60 allows truncation (resizing to length 0) of the firejail ...↗2019

▶

💬Community

Bugzilla

CVE-2019-12499 firejail: file descriptors command execution↗2019-06-04

▶

Bugzilla

CVE-2019-12499 firejail: file descriptors command execution [fedora-all]↗2019-06-04

▶