haserl: information disclosure due to setuid binaries (CVE-2021-29133)
Lack of verification in haserl, a component of Alpine Linux Configuration Framework, in version 0.9.35 an below, allows local users to read the contents of any file on the filesystem.
Affected versions
- v0.9.35 and below
Fixed in version
- v0.9.36
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29133
- https://nvd.nist.gov/vuln/detail/CVE-2021-29133
- https://twitter.com/steaIth/status/1364940271054712842
- https://github.com/rapid7/metasploit-framework/pull/14833
- #12491 (closed)
Branches
Edited by Kevin Daudt