CVE-2021-39216
Multiple Vulnerabilities in Wasmtime
6.3
MEDIUM
CVSS 3.1
EPSS 0.15%
Description
* [Use after free passing `externref`s to Wasm in Wasmtime](https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf) * [Out-of-bounds read/write and invalid free with `externref`s and GC safepoints in Wasmtime](https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4873-36h9-wv49) * [Wrong type for `Linker`-define functions when used across two `Engine`s](https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q879-9g95-56mx)
How to fix CVE-2021-39216
To remediate CVE-2021-39216, upgrade the affected package to a fixed version below.
- —upgrade to 0.30.0 or later
- —upgrade to 0.30.0 or later
- —upgrade to 0.30.0 or later
- —upgrade to 0.30.0 or later
- —upgrade to 398a73f0dd862dbe703212ebae8e34036a18c11c or later
- —upgrade to 0.30.0 or later
- —upgrade to b39f087414f27ae40c44449ed5d1154e03449bff or later
- —upgrade to 0.30.0 or later
- —upgrade to 0.30.0 or later
- —upgrade to 101998733b74624cbd348a2366d05760b40181f3 or later
Is CVE-2021-39216 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (10)
- >= 0.26.0, < 0.30.0
- from 0, < 0.30.0
- from 0, < 0.30.0
- >= 0.0.0-0, < 0.30.0
- from 0, < 398a73f0dd862dbe703212ebae8e34036a18c11c | from 0, < 0.30.0
- >= 0.26.0, < 0.30.0
- from 0, < b39f087414f27ae40c44449ed5d1154e03449bff | from 0, < 0.30.0
- from 0, < 0.30.0
- from 0, < 0.30.0
- from 0, < 101998733b74624cbd348a2366d05760b40181f3 | from 0, < 0.30.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.3 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H |