GHSA-xjqr-g762-pxwp

Suggest an improvement
Source
https://github.com/advisories/GHSA-xjqr-g762-pxwp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-xjqr-g762-pxwp/GHSA-xjqr-g762-pxwp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xjqr-g762-pxwp
Aliases
Published
2022-02-15T01:57:18Z
Modified
2024-09-03T03:41:46.113381Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
containernetworking/cni improper limitation of path name
Details

An improper limitation of path name flaw was found in containernetworking/cni in versions before 0.8.1. When specifying the plugin to load in the 'type' field in the network configuration, it is possible to use special elements such as "../" separators to reference binaries elsewhere on the system. This flaw allows an attacker to execute other existing binaries other than the cni plugins/types, such as 'reboot'. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Specific Go Packages Affected

github.com/containernetworking/cni/pkg/invoke

Database specific
{
    "nvd_published_at": "2021-03-26T22:15:00Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-22"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-18T21:07:06Z"
}
References

Affected packages

Go / github.com/containernetworking/cni

Package

Name
github.com/containernetworking/cni
View open source insights on deps.dev
Purl
pkg:golang/github.com/containernetworking/cni

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.8.1