6.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-45707

GHSA ID

GHSA-76w9-p8mg-j927

EPSS Score

0.6554%

CWE

CWE-787

Published

1/6/2022

Updated

2/21/2024

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-45707

CVE-2021-45707: Out-of-bounds Write in nix

On certain platforms, if a user has more than 16 groups, the nix::unistd::getgrouplist function will call the libc getgrouplist function with a length parameter greater than the size of the buffer it provides, resulting in an out-of-bounds write and memory corruption.

The libc getgrouplist function takes an in/out parameter ngroups specifying the size of the group buffer. When the buffer is too small to hold all of the requested user's group memberships, some libc implementations, including glibc and Solaris libc, will modify ngroups to indicate the actual number of groups for the user, in addition to returning an error. The version of nix::unistd::getgrouplist in nix 0.16.0 and up will resize the buffer to twice its size, but will not read or modify the ngroups variable. Thus, if the user has more than twice as many groups as the initial buffer size of 8, the next call to getgrouplist will then write past the end of the buffer.

The issue would require editing /etc/groups to exploit, which is usually only editable by the root user.

(GitHub Advisory)

6.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-45707

GHSA ID

GHSA-76w9-p8mg-j927

EPSS Score

0.6554%

CWE

CWE-787

Published

1/6/2022

Updated

2/21/2024

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nix	rust	>= 0.21.0, < 0.21.2	0.21.2
nix	rust	>= 0.22.0, < 0.22.2	0.22.2
nix	rust	>= 0.16.0, < 0.20.2	0.20.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability directly references nix::unistd::getgrouplist in all advisory sources (CVE, GHSA, RustSec). The function's interaction with libc::getgrouplist is flawed because it fails to synchronize the ngroups parameter with the resized buffer capacity. This is explicitly described in the GitHub issue (#1541) and corroborated by all vulnerability descriptions. The function's behavior matches the CWE-787 out-of-bounds write pattern described.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

On **rt*in pl*t*orms, i* * us*r **s mor* t**n ** *roups, t** nix::unist*::**t*rouplist *un*tion will **ll t** li** **t*rouplist *un*tion wit* * l*n*t* p*r*m*t*r *r**t*r t**n t** siz* o* t** *u***r it provi**s, r*sultin* in *n out-o*-*oun*s writ* *n*

Reasoning

T** vuln*r**ility *ir**tly r***r*n**s `nix::unist*::**t*rouplist` in *ll **visory sour**s (*V*, **S*, RustS**). T** *un*tion's int*r**tion wit* `li**::**t*rouplist` is *l*w** ****us* it **ils to syn**roniz* t** n*roups p*r*m*t*r wit* t** r*siz** *u**

6.7

Basic Information

Concerned about an active attack path?

CVE-2021-45707: Out-of-bounds Write in nix

6.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI