Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Confused deputy attack in sandbox module resolution
Vulnerability Description
Racket is a general-purpose programming language and an ecosystem for language-oriented programming. In versions prior to 8.2, code evaluated using the Racket sandbox could cause system modules to incorrectly use attacker-created modules instead of their intended dependencies. This could allow system functions to be controlled by the attacker, giving access to facilities intended to be restricted. This problem is fixed in Racket version 8.2. A workaround is available, depending on system settings. For systems that provide arbitrary Racket evaluation, external sandboxing such as containers limit the impact of the problem. For multi-user evaluation systems, such as the `handin-server` system, it is not possible to work around this problem and upgrading is required.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
Vulnerability Type
未有动机的代理或中间人(混淆代理)
Vulnerability Title
Racket 安全漏洞
Vulnerability Description
Racket是开源的一种通用编程语言,也是面向语言编程的生态系统。 Racket 8.2之前版本存在安全漏洞,该漏洞源于使用Racket沙箱评估的代码可能会导致系统模块错误地使用攻击者创建的模块而不是它们预期的依赖项,攻击者可利用此漏洞控制系统功能,从而允许访问旨在受到限制的设施。
CVSS Information
N/A
Vulnerability Type
N/A