Cyber Resilience

CVE-2021-32773

Medium

Published: 20 July 2021

Published
20 July 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
EPSS Score 0.0020 41.8th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-32773 is a medium-severity Confused Deputy (CWE-441) vulnerability in Racket-Lang Racket. Its CVSS base score is 6.1 (Medium).

Operationally, ranked at the 41.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Racket is a general-purpose programming language and an ecosystem for language-oriented programming. In versions prior to 8.2, code evaluated using the Racket sandbox could cause system modules to incorrectly use attacker-created modules instead of their intended dependencies. This could allow…

more

system functions to be controlled by the attacker, giving access to facilities intended to be restricted. This problem is fixed in Racket version 8.2. A workaround is available, depending on system settings. For systems that provide arbitrary Racket evaluation, external sandboxing such as containers limit the impact of the problem. For multi-user evaluation systems, such as the `handin-server` system, it is not possible to work around this problem and upgrading is required.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

racket-lang
racket
≤ 8.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-441

Mitigates confused deputy risks by ensuring distinct privilege domains so one partition cannot unintentionally act on behalf of another.

addresses: CWE-610

Limits impact of an externally controlled reference to a primary information resource by switching to an identified alternative.

References