← Voltar para CVEs
CVE-2021-41556
CRITICAL10.0
Descricao
sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read (in the core interpreter) that can lead to Code Execution. If a victim executes an attacker-controlled squirrel script, it is possible for the attacker to break out of the squirrel script sandbox even if all dangerous functionality such as File System functions has been disabled. An attacker might abuse this bug to target (for example) Cloud services that allow customization via SquirrelScripts, or distribute malware through video games that embed a Squirrel Engine.
Detalhes CVE
Pontuacao CVSS v3.110.0
SeveridadeCRITICAL
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado7/28/2022
Ultima modificacao11/21/2024
Fontenvd
Avistamentos honeypot0
Produtos afetados
fedoraproject:fedorasquirrel-lang:squirrel
Fraquezas (CWE)
CWE-125
Referencias
http://www.squirrel-lang.org/#download(cve@mitre.org)
https://blog.sonarsource.com/squirrel-vm-sandbox-escape/(cve@mitre.org)
https://github.com/albertodemichelis/squirrel/commit/23a0620658714b996d20da3d4dd1a0dcf9b0bd98(cve@mitre.org)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BV7SJJ44AGAX4ILIVPREIXPJ2GOG3FKV/(cve@mitre.org)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M3FQILX7UUEERSDPMZP3MKGTMY2E7ESU/(cve@mitre.org)
http://www.squirrel-lang.org/#download(af854a3a-2127-422b-91ae-364da2661108)
https://blog.sonarsource.com/squirrel-vm-sandbox-escape/(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/albertodemichelis/squirrel/commit/23a0620658714b996d20da3d4dd1a0dcf9b0bd98(af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BV7SJJ44AGAX4ILIVPREIXPJ2GOG3FKV/(af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M3FQILX7UUEERSDPMZP3MKGTMY2E7ESU/(af854a3a-2127-422b-91ae-364da2661108)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.