VulnerableCode Package Details - pkg:deb/debian/firejail@0.9.58.2-2%2Bdeb10u3

Search for packages

Vulnerability	Summary	Fixed by
VCID-amhq-f69a-cqcp Aliases: CVE-2020-17368	Firejail through 0.9.62 mishandles shell metacharacters during use of the --output or --output-stderr option, which may lead to command injection.	0.9.64.4-2+deb11u1 Affected by 0 other vulnerabilities.
VCID-d7wz-2aws-e7cw Aliases: CVE-2021-26910	Firejail before 0.9.64.4 allows attackers to bypass intended access restrictions because there is a TOCTOU race condition between a stat operation and an OverlayFS mount operation.	0.9.64.4-2+deb11u1 Affected by 0 other vulnerabilities.
VCID-frfr-nhbx-qubn Aliases: CVE-2022-31214	A Privilege Context Switching issue was discovered in join.c in Firejail 0.9.68. By crafting a bogus Firejail container that is accepted by the Firejail setuid-root program as a join target, a local attacker can enter an environment in which the Linux user namespace is still the initial user namespace, the NO_NEW_PRIVS prctl is not activated, and the entered mount namespace is under the attacker's control. In this way, the filesystem layout can be adjusted to gain root privileges through execution of available setuid-root binaries such as su or sudo.	0.9.64.4-2+deb11u1 Affected by 0 other vulnerabilities.
VCID-vr8g-6fet-q7ag Aliases: CVE-2020-17367	Firejail through 0.9.62 does not honor the -- end-of-options indicator after the --output option, which may lead to command injection.	0.9.64.4-2+deb11u1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-amhq-f69a-cqcp
Aliases:
CVE-2020-17368

Firejail through 0.9.62 mishandles shell metacharacters during use of the --output or --output-stderr option, which may lead to command injection.

0.9.64.4-2+deb11u1
Affected by 0 other vulnerabilities.

VCID-d7wz-2aws-e7cw
Aliases:
CVE-2021-26910

Firejail before 0.9.64.4 allows attackers to bypass intended access restrictions because there is a TOCTOU race condition between a stat operation and an OverlayFS mount operation.

0.9.64.4-2+deb11u1
Affected by 0 other vulnerabilities.

VCID-frfr-nhbx-qubn
Aliases:
CVE-2022-31214

A Privilege Context Switching issue was discovered in join.c in Firejail 0.9.68. By crafting a bogus Firejail container that is accepted by the Firejail setuid-root program as a join target, a local attacker can enter an environment in which the Linux user namespace is still the initial user namespace, the NO_NEW_PRIVS prctl is not activated, and the entered mount namespace is under the attacker's control. In this way, the filesystem layout can be adjusted to gain root privileges through execution of available setuid-root binaries such as su or sudo.

0.9.64.4-2+deb11u1
Affected by 0 other vulnerabilities.

VCID-vr8g-6fet-q7ag
Aliases:
CVE-2020-17367

Firejail through 0.9.62 does not honor the -- end-of-options indicator after the --output option, which may lead to command injection.

0.9.64.4-2+deb11u1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-a2cf-yjjc-z3dh	In Firejail before 0.9.60, seccomp filters are writable inside the jail, leading to a lack of intended seccomp restrictions for a process that is joined to the jail after a filter has been modified by an attacker.	CVE-2019-12589
VCID-amhq-f69a-cqcp	Firejail through 0.9.62 mishandles shell metacharacters during use of the --output or --output-stderr option, which may lead to command injection.	CVE-2020-17368
VCID-d7wz-2aws-e7cw	Firejail before 0.9.64.4 allows attackers to bypass intended access restrictions because there is a TOCTOU race condition between a stat operation and an OverlayFS mount operation.	CVE-2021-26910
VCID-frfr-nhbx-qubn	A Privilege Context Switching issue was discovered in join.c in Firejail 0.9.68. By crafting a bogus Firejail container that is accepted by the Firejail setuid-root program as a join target, a local attacker can enter an environment in which the Linux user namespace is still the initial user namespace, the NO_NEW_PRIVS prctl is not activated, and the entered mount namespace is under the attacker's control. In this way, the filesystem layout can be adjusted to gain root privileges through execution of available setuid-root binaries such as su or sudo.	CVE-2022-31214
VCID-vr8g-6fet-q7ag	Firejail through 0.9.62 does not honor the -- end-of-options indicator after the --output option, which may lead to command injection.	CVE-2020-17367
VCID-wn1u-kwyb-akdq	Firejail before 0.9.60 allows truncation (resizing to length 0) of the firejail binary on the host by running exploit code inside a firejail sandbox and having the sandbox terminated. To succeed, certain conditions need to be fulfilled: The jail (with the exploit code inside) needs to be started as root, and it also needs to be terminated as root from the host (either by stopping it ungracefully (e.g., SIGKILL), or by using the --shutdown control command). This is similar to CVE-2019-5736.	CVE-2019-12499

Vulnerability

Summary

Aliases

VCID-a2cf-yjjc-z3dh

In Firejail before 0.9.60, seccomp filters are writable inside the jail, leading to a lack of intended seccomp restrictions for a process that is joined to the jail after a filter has been modified by an attacker.

CVE-2019-12589

VCID-amhq-f69a-cqcp

Firejail through 0.9.62 mishandles shell metacharacters during use of the --output or --output-stderr option, which may lead to command injection.

CVE-2020-17368

VCID-d7wz-2aws-e7cw

Firejail before 0.9.64.4 allows attackers to bypass intended access restrictions because there is a TOCTOU race condition between a stat operation and an OverlayFS mount operation.

CVE-2021-26910

VCID-frfr-nhbx-qubn

CVE-2022-31214

VCID-vr8g-6fet-q7ag

Firejail through 0.9.62 does not honor the -- end-of-options indicator after the --output option, which may lead to command injection.

CVE-2020-17367

VCID-wn1u-kwyb-akdq

Firejail before 0.9.60 allows truncation (resizing to length 0) of the firejail binary on the host by running exploit code inside a firejail sandbox and having the sandbox terminated. To succeed, certain conditions need to be fulfilled: The jail (with the exploit code inside) needs to be started as root, and it also needs to be terminated as root from the host (either by stopping it ungracefully (e.g., SIGKILL), or by using the --shutdown control command). This is similar to CVE-2019-5736.

CVE-2019-12499

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T20:15:01.407771+00:00	Debian Oval Importer	Fixing	VCID-a2cf-yjjc-z3dh	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T19:57:43.791966+00:00	Debian Oval Importer	Affected by	VCID-vr8g-6fet-q7ag	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T19:05:41.799758+00:00	Debian Oval Importer	Affected by	VCID-d7wz-2aws-e7cw	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T16:50:36.302239+00:00	Debian Oval Importer	Affected by	VCID-frfr-nhbx-qubn	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T15:33:26.466763+00:00	Debian Oval Importer	Fixing	VCID-wn1u-kwyb-akdq	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T12:31:59.027683+00:00	Debian Oval Importer	Affected by	VCID-amhq-f69a-cqcp	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T11:46:13.723192+00:00	Debian Oval Importer	Fixing	VCID-frfr-nhbx-qubn	https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2	37.0.0
2025-08-01T11:37:46.380017+00:00	Debian Oval Importer	Fixing	VCID-d7wz-2aws-e7cw	https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2	37.0.0
2025-08-01T11:25:14.026623+00:00	Debian Oval Importer	Fixing	VCID-vr8g-6fet-q7ag	https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2	37.0.0
2025-08-01T11:24:42.417689+00:00	Debian Oval Importer	Fixing	VCID-amhq-f69a-cqcp	https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2	37.0.0