ubridgev0.9.17: 1 vulnerabilities (highest severity is: 5.5)

[mend-for-github-com[bot]]

Vulnerable Library - ubridgev0.9.17

Bridge for UDP tunnels, Ethernet, TAP and VMnet interfaces.

Library home page: https://github.com/GNS3/ubridge.git

Found in HEAD commit: 0054327da0dc5e9089e1232af19be1d56bcf2c9a

Vulnerable Source Files (1)

/src/parse.c

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (ubridgev0.9.17 version)	Remediation Available
CVE-2020-14976	Medium	5.5	ubridgev0.9.17	Direct	v0.9.15	❌

Details

CVE-2020-14976

### Vulnerable Library - ubridgev0.9.17

Bridge for UDP tunnels, Ethernet, TAP and VMnet interfaces.

Library home page: https://github.com/GNS3/ubridge.git

Found in HEAD commit: 0054327da0dc5e9089e1232af19be1d56bcf2c9a

Found in base branch: master

### Vulnerable Source Files (1)

/src/parse.c

### Vulnerability Details

GNS3 ubridge through 0.9.18 on macOS, as used in GNS3 server before 2.1.17, allows a local attacker to read arbitrary files because it handles configuration-file errors by printing the configuration file while executing in a setuid root context.

Publish Date: 2020-06-23

URL: CVE-2020-14976

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://theevilbit.github.io/posts/gns3_ubridge_setuid_bit_arbitrary_file_read/

Release Date: 2020-06-29

Fix Resolution: v0.9.15

[grossmj]

Fixed since v0.9.15