CVE-2023-38496

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-38496
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-38496.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-38496
Aliases
Related
Published
2023-07-25T22:15:10Z
Modified
2024-08-20T20:58:35.663844Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1.

References

Affected packages

Git / github.com/apptainer/apptainer

Affected ranges

Type
GIT
Repo
https://github.com/apptainer/apptainer
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

v0.*

v0.1.0
v0.1.1

v1.*

v1.0.0
v1.0.0-rc.1
v1.0.0-rc.2
v1.0.0-rc.2-2
v1.0.0-rc.2.3
v1.0.1
v1.0.2
v1.0.3
v1.1.0
v1.1.0-rc.1
v1.1.0-rc.2
v1.1.0-rc.3
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.1.8
v1.1.9
v1.2.0
v1.2.0-rc.1
v1.2.0-rc.2