CVE-2023-38496

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-38496

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-38496.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-38496

Aliases

Related

Published

2023-07-25T22:15:10Z

Modified

2024-08-20T20:59:08.230795Z

Severity

3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1.

References

Affected packages

Git / github.com/apptainer/apptainer

Affected ranges

Type: GIT
Repo: https://github.com/apptainer/apptainer
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

63fa1e5ac1b120be3f2ba45ceca70348dc450311

Affected versions

v0.*

v0.1.0

v0.1.1

v1.*

v1.0.0

v1.0.0-rc.1

v1.0.0-rc.2

v1.0.0-rc.2-2

v1.0.0-rc.2.3

v1.0.1

v1.0.2

v1.0.3

v1.1.0

v1.1.0-rc.1

v1.1.0-rc.2

v1.1.0-rc.3

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.1.5

v1.1.6

v1.1.7

v1.1.8

v1.1.9

v1.2.0

v1.2.0-rc.1

v1.2.0-rc.2