In versions of FreeBSD 13-RELEASE before 13-RELEASE-p5, under certain circumstances the cap_net libcasper(3) service incorrectly validates that updated constraints are strictly subsets of the active constraints. When only a list of resolvable domain names was specified without setting any other limitations, an application could submit a new list of domains including include entries not previously listed. This could permit the application to resolve domain names that were previously restricted.
Weakness
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Freebsd | Freebsd | 13.0 (including) | 13.2 (excluding) |
| Freebsd | Freebsd | 13.2 (including) | 13.2 (including) |
| Freebsd | Freebsd | 13.2-p1 (including) | 13.2-p1 (including) |
| Freebsd | Freebsd | 13.2-p2 (including) | 13.2-p2 (including) |
| Freebsd | Freebsd | 13.2-p3 (including) | 13.2-p3 (including) |
| Freebsd | Freebsd | 13.2-p4 (including) | 13.2-p4 (including) |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/122.html
- https://cwe.mitre.org/data/definitions/233.html
- https://cwe.mitre.org/data/definitions/58.html