GHSA-mmx5-32m4-wxvx

Suggest an improvement
Source
https://github.com/advisories/GHSA-mmx5-32m4-wxvx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-mmx5-32m4-wxvx/GHSA-mmx5-32m4-wxvx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mmx5-32m4-wxvx
Aliases
Published
2023-07-25T13:52:20Z
Modified
2024-08-20T20:58:35.663844Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H CVSS Calculator
Summary
Ineffective privileges drop when requesting container network
Details

Impact

Fix https://github.com/apptainer/apptainer/pull/1523 included in Apptainer 1.2.0-rc.2 has introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges. The attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. Only affects setuid installations of Apptainer.

Patches

The security fix https://github.com/apptainer/apptainer/pull/1578 has been included in Apptainer 1.2.1

Workarounds

There is no known workaround outside of upgrading to Apptainer 1.2.1

Database specific
{
    "nvd_published_at": "2023-07-25T22:15:10Z",
    "cwe_ids": [
        "CWE-269"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-25T13:52:20Z"
}
References

Affected packages

Go / github.com/apptainer/apptainer

Package

Name
github.com/apptainer/apptainer
View open source insights on deps.dev
Purl
pkg:golang/github.com/apptainer/apptainer

Affected ranges

Type
SEMVER
Events
Introduced
1.2.0
Fixed
1.2.1