CVE-2023-1521

Summary

On Linux the sccache client can execute arbitrary code with the privileges of a local sccache server, by preloading the code in a shared library passed to LD_PRELOAD.

If the server is run as root (which is the default when installing the snap package https://snapcraft.io/sccache ), this means a user running the sccache client can get root privileges.

Affected Software

VendorProductVersion RangeStatus
Mozillasccache0 < 0.4.0affected

Weaknesses

  • CWE-426: CWE-426 Untrusted Search Path

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References