CVE-2023-51661 - Vulnerability Details - OpenCVE

Wasmer is a WebAssembly runtime that enables containers to run anywhere: from Desktop to the Cloud, Edge and even the browser. Wasm programs can access the filesystem outside of the sandbox. Service providers running untrusted Wasm code on Wasmer can unexpectedly expose the host filesystem. This vulnerability has been patched in version 4.2.4.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact total

Vendors	Products
Wasmer	Wasmer

Configuration 1 [-]

cpe:2.3:a:wasmer:wasmer:*:*:*:*:*:rust:*:*

No data.

References

Link	Providers
https://github.com/wasmerio/wasmer/commit/4d63febf9d8b257b0531963b85df48d45d0dbf3c
https://github.com/wasmerio/wasmer/issues/4267
https://github.com/wasmerio/wasmer/security/advisories/GHSA-4mq4-7rw3-vm5j

History

Thu, 17 Apr 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-12-22T14:54:23.103Z

Updated: 2025-04-17T20:29:41.019Z

Reserved: 2023-12-21T14:14:26.224Z

Link: CVE-2023-51661

Vulnrichment

Updated: 2024-08-02T22:40:34.147Z

NVD

Status : Modified

Published: 2023-12-22T15:15:08.377

Modified: 2024-11-21T08:38:33.190

Link: CVE-2023-51661

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-51661", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-21T14:14:26.224Z", "datePublished": "2023-12-22T14:54:23.103Z", "dateUpdated": "2025-04-17T20:29:41.019Z"}, "containers": {"cna": {"title": "Filesystem sandbox not enforced in wasmer-cli", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/wasmerio/wasmer/security/advisories/GHSA-4mq4-7rw3-vm5j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wasmerio/wasmer/security/advisories/GHSA-4mq4-7rw3-vm5j"}, {"name": "https://github.com/wasmerio/wasmer/issues/4267", "tags": ["x_refsource_MISC"], "url": "https://github.com/wasmerio/wasmer/issues/4267"}, {"name": "https://github.com/wasmerio/wasmer/commit/4d63febf9d8b257b0531963b85df48d45d0dbf3c", "tags": ["x_refsource_MISC"], "url": "https://github.com/wasmerio/wasmer/commit/4d63febf9d8b257b0531963b85df48d45d0dbf3c"}], "affected": [{"vendor": "wasmerio", "product": "wasmer", "versions": [{"version": ">= 3.0.0, < 4.2.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-12-22T14:54:23.103Z"}, "descriptions": [{"lang": "en", "value": "Wasmer is a WebAssembly runtime that enables containers to run anywhere: from Desktop to the Cloud, Edge and even the browser. Wasm programs can access the filesystem outside of the sandbox. Service providers running untrusted Wasm code on Wasmer can unexpectedly expose the host filesystem. This vulnerability has been patched in version 4.2.4."}], "source": {"advisory": "GHSA-4mq4-7rw3-vm5j", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:40:34.147Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/wasmerio/wasmer/security/advisories/GHSA-4mq4-7rw3-vm5j", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/wasmerio/wasmer/security/advisories/GHSA-4mq4-7rw3-vm5j"}, {"name": "https://github.com/wasmerio/wasmer/issues/4267", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/wasmerio/wasmer/issues/4267"}, {"name": "https://github.com/wasmerio/wasmer/commit/4d63febf9d8b257b0531963b85df48d45d0dbf3c", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/wasmerio/wasmer/commit/4d63febf9d8b257b0531963b85df48d45d0dbf3c"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-01-02T16:14:30.366544Z", "id": "CVE-2023-51661", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-17T20:29:41.019Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-51661", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-21T14:14:26.224Z", "datePublished": "2023-12-22T14:54:23.103Z", "dateUpdated": "2025-04-17T20:29:41.019Z"}, "containers": {"cna": {"title": "Filesystem sandbox not enforced in wasmer-cli", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/wasmerio/wasmer/security/advisories/GHSA-4mq4-7rw3-vm5j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wasmerio/wasmer/security/advisories/GHSA-4mq4-7rw3-vm5j"}, {"name": "https://github.com/wasmerio/wasmer/issues/4267", "tags": ["x_refsource_MISC"], "url": "https://github.com/wasmerio/wasmer/issues/4267"}, {"name": "https://github.com/wasmerio/wasmer/commit/4d63febf9d8b257b0531963b85df48d45d0dbf3c", "tags": ["x_refsource_MISC"], "url": "https://github.com/wasmerio/wasmer/commit/4d63febf9d8b257b0531963b85df48d45d0dbf3c"}], "affected": [{"vendor": "wasmerio", "product": "wasmer", "versions": [{"version": ">= 3.0.0, < 4.2.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-12-22T14:54:23.103Z"}, "descriptions": [{"lang": "en", "value": "Wasmer is a WebAssembly runtime that enables containers to run anywhere: from Desktop to the Cloud, Edge and even the browser. Wasm programs can access the filesystem outside of the sandbox. Service providers running untrusted Wasm code on Wasmer can unexpectedly expose the host filesystem. This vulnerability has been patched in version 4.2.4."}], "source": {"advisory": "GHSA-4mq4-7rw3-vm5j", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:40:34.147Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/wasmerio/wasmer/security/advisories/GHSA-4mq4-7rw3-vm5j", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/wasmerio/wasmer/security/advisories/GHSA-4mq4-7rw3-vm5j"}, {"name": "https://github.com/wasmerio/wasmer/issues/4267", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/wasmerio/wasmer/issues/4267"}, {"name": "https://github.com/wasmerio/wasmer/commit/4d63febf9d8b257b0531963b85df48d45d0dbf3c", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/wasmerio/wasmer/commit/4d63febf9d8b257b0531963b85df48d45d0dbf3c"}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-51661", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-01-02T16:14:30.366544Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-17T20:29:36.786Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wasmer:wasmer:*:*:*:*:*:rust:*:*", "matchCriteriaId": "14DB3027-8D4F-47CB-9B0C-9603C74C4299", "versionEndExcluding": "4.2.4", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Wasmer is a WebAssembly runtime that enables containers to run anywhere: from Desktop to the Cloud, Edge and even the browser. Wasm programs can access the filesystem outside of the sandbox. Service providers running untrusted Wasm code on Wasmer can unexpectedly expose the host filesystem. This vulnerability has been patched in version 4.2.4."}, {"lang": "es", "value": "Wasmer es un runtime de WebAssembly que permite que los contenedores se ejecuten en cualquier lugar: desde el escritorio hasta la nube, Edge e incluso el navegador. Los programas Wasm pueden acceder al sistema de archivos fuera del entorno limitado. Los proveedores de servicios que ejecutan c\u00f3digo Wasm que no es de confianza en Wasmer pueden exponer inesperadamente el sistema de archivos del host. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 4.2.4."}], "id": "CVE-2023-51661", "lastModified": "2024-11-21T08:38:33.190", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-22T15:15:08.377", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/wasmerio/wasmer/commit/4d63febf9d8b257b0531963b85df48d45d0dbf3c"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/wasmerio/wasmer/issues/4267"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/wasmerio/wasmer/security/advisories/GHSA-4mq4-7rw3-vm5j"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/wasmerio/wasmer/commit/4d63febf9d8b257b0531963b85df48d45d0dbf3c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://github.com/wasmerio/wasmer/issues/4267"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/wasmerio/wasmer/security/advisories/GHSA-4mq4-7rw3-vm5j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}