Vulnerability Name:

CVE-2021-29133 (CCN-198766)

Assigned:2021-03-22
Published:2021-03-22
Updated:2021-03-26
Summary:Lack of verification in haserl, a component of Alpine Linux Configuration Framework, before 0.9.36 allows local users to read the contents of any file on the filesystem.
CVSS v3 Severity:5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
3.5 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2021-29133

Source: CCN
Type: Alpine Linux Web site
Alpine Linux

Source: XF
Type: UNKNOWN
alpinelinuxcf-cve202129133-info-disc(198766)

Source: MISC
Type: Exploit, Patch, Third Party Advisory
https://github.com/rapid7/metasploit-framework/pull/14833

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/rapid7/metasploit-framework/pull/14833/commits/5bf6b2d094deb22fa8183ce161b90cbe4fd40a70

Source: CCN
Type: Alpine GIT Repository
haserl: information disclosure due to setuid binaries (CVE-2021-29133)

Source: MISC
Type: Issue Tracking, Vendor Advisory
https://gitlab.alpinelinux.org/alpine/aports/-/issues/12539

Source: MISC
Type: Third Party Advisory
https://twitter.com/steaIth/status/1364940271054712842

Vulnerable Configuration:Configuration 1:
  • cpe:/a:haserl_project:haserl:*:*:*:*:*:*:*:* (Version < 0.9.36)

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:112394
    P
    		haserl-0.9.36-1.3 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:100353
    P
    		 (Important)
    2021-11-16
    oval:org.opensuse.security:def:96426
    P
    		Security update for haserl (Moderate)
    2021-09-16
    oval:org.opensuse.security:def:111064
    P
    		Security update for haserl (Moderate)
    2021-09-16
    oval:org.opensuse.security:def:109773
    P
    		Security update for haserl (Moderate)
    2021-09-16
    oval:org.opensuse.security:def:111504
    P
    		Security update for haserl (Moderate)
    2021-09-16
    oval:org.opensuse.security:def:11132
    P
    		Security update for haserl (Moderate)
    2021-09-16
    oval:org.opensuse.security:def:103116
    P
    		Security update for haserl (Moderate)
    2021-09-16
    oval:org.opensuse.security:def:93640
    P
    		Security update for haserl (Moderate)
    2021-09-16
    oval:org.opensuse.security:def:107019
    P
    		Security update for haserl (Moderate)
    2021-09-16
    BACK
    haserl_project haserl *