CVE-2021-32773

Published: Jul 19, 2021

Modified: Aug 3, 2024

PUBLISHED

CVSS v3.1

6.1

MEDIUM

Description

Racket is a general-purpose programming language and an ecosystem for language-oriented programming. In versions prior to 8.2, code evaluated using the Racket sandbox could cause system modules to incorrectly use attacker-created modules instead of their intended dependencies. This could allow system functions to be controlled by the attacker, giving access to facilities intended to be restricted. This problem is fixed in Racket version 8.2. A workaround is available, depending on system settings. For systems that provide arbitrary Racket evaluation, external sandboxing such as containers limit the impact of the problem. For multi-user evaluation systems, such as the `handin-server` system, it is not possible to work around this problem and upgrading is required.

Vendor	Product	Versions
racket	racket	affected `< 8.2`

Weaknesses (CWE)

CWE-441

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

References

https://github.com/racket/racket/security/advisories/GHSA-cgrw-p7p7-937c

x_refsource_CONFIRM

https://github.com/racket/racket/commit/6ca4ffeca1e5877d44f835760ad89f18488d97e1

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-32773

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References