CVE-2021-39216
MEDIUM6.3EPSS 0.15%Multiple Vulnerabilities in Wasmtime
Published: 9/20/2021Modified: 3/15/2024
Also known as:GHSA-4873-36h9-wv49GHSA-q879-9g95-56mxGHSA-v4cp-h94r-m7xfPYSEC-2021-320PYSEC-2021-321PYSEC-2021-322RUSTSEC-2021-0110
Description
* [Use after free passing `externref`s to Wasm in Wasmtime](https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf) * [Out-of-bounds read/write and invalid free with `externref`s and GC safepoints in Wasmtime](https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4873-36h9-wv49) * [Wrong type for `Linker`-define functions when used across two `Engine`s](https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q879-9g95-56mx)
Affected packages (10)
- crates.io/wasmtime>= 0.26.0, < 0.30.0
- crates.io/wasmtimefrom 0, < 0.30.0
- crates.io/wasmtimefrom 0, < 0.30.0
- crates.io/wasmtime>= 0.0.0-0, < 0.30.0
- PyPI/wasmtimefrom 0, < 398a73f0dd862dbe703212ebae8e34036a18c11c | from 0, < 0.30.0
- PyPI/wasmtime>= 0.26.0, < 0.30.0
- PyPI/wasmtimefrom 0, < b39f087414f27ae40c44449ed5d1154e03449bff | from 0, < 0.30.0
- PyPI/wasmtimefrom 0, < 0.30.0
- PyPI/wasmtimefrom 0, < 0.30.0
- PyPI/wasmtimefrom 0, < 101998733b74624cbd348a2366d05760b40181f3 | from 0, < 0.30.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.3 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H |
References (18)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-39216
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-39218
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-39219
- PATCHhttps://github.com/bytecodealliance/wasmtime
- WEBhttps://crates.io/crates/wasmtime
- WEBhttps://github.com/bytecodealliance/wasmtime/commit/101998733b74624cbd348a2366d05760b40181f3
- WEBhttps://github.com/bytecodealliance/wasmtime/commit/398a73f0dd862dbe703212ebae8e34036a18c11c
- WEBhttps://github.com/bytecodealliance/wasmtime/commit/b39f087414f27ae40c44449ed5d1154e03449bff
- WEBhttps://github.com/bytecodealliance/wasmtime-py/compare/0.29.0...0.30.0
- WEBhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4873-36h9-wv49
- WEBhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q879-9g95-56mx
- WEBhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/wasmtime/PYSEC-2021-320.yaml
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/wasmtime/PYSEC-2021-321.yaml
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/wasmtime/PYSEC-2021-322.yaml
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/WAVBRYDDUIY2ZR3K3FO4BVYJKIMJ5TP7
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/Z2Z33FTXFQ6EOINVEQIP4DFBG53G5XIY
- WEBhttps://rustsec.org/advisories/RUSTSEC-2021-0110.html