CVE-2021-32773 — Confused Deputy in Racket

CWE-441 — Confused Deputy CWE-610 — Externally Controlled Reference to a Resource in Another Sphere3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 58.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Racket Racket-lang Racket Debian Racket

Timeline

PublishedJul 20

Description

Racket is a general-purpose programming language and an ecosystem for language-oriented programming. In versions prior to 8.2, code evaluated using the Racket sandbox could cause system modules to incorrectly use attacker-created modules instead of their intended dependencies. This could allow system functions to be controlled by the attacker, giving access to facilities intended to be restricted. This problem is fixed in Racket version 8.2. A workaround is available, depending on system setting…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5racket/racket< 8.2

▶debiandebian/racket< racket 7.9+dfsg1-2 (bookworm)

▶NVDracket-lang/racket< 8.2

▶Debianracket/racket< 7.9+dfsg1-2+3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2021-32773: Racket is a general-purpose programming language and an ecosystem for language-oriented programming↗2021-07-20

▶

📋Vendor Advisories

Debian

CVE-2021-32773: racket - Racket is a general-purpose programming language and an ecosystem for language-o...↗2021

▶