CVE-2021-32773

low-risk
Published 2021-07-20

Racket is a general-purpose programming language and an ecosystem for language-oriented programming. In versions prior to 8.2, code evaluated using the Racket sandbox could cause system modules to incorrectly use attacker-created modules instead of their intended dependencies. This could allow system functions to be controlled by the attacker, giving access to facilities intended to be restricted. This problem is fixed in Racket version 8.2. A workaround is available, depending on system settings. For systems that provide arbitrary Racket evaluation, external sandboxing such as containers limit the impact of the problem. For multi-user evaluation systems, such as the `handin-server` system, it is not possible to work around this problem and upgrading is required.

Do I need to act?

-
0.20% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Racket

Affected Vendors

Racket-Lang

References (4)

Patch https://github.com/racket/racket/commit/6ca4ffeca1e5877d44f835760ad89f18488d97e1
Third Party Advisory https://github.com/racket/racket/security/advisories/GHSA-cgrw-p7p7-937c
Patch https://github.com/racket/racket/commit/6ca4ffeca1e5877d44f835760ad89f18488d97e1
Third Party Advisory https://github.com/racket/racket/security/advisories/GHSA-cgrw-p7p7-937c
25
/ 100
low-risk
Severity 19/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal