Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/apptainer/apptainer: CVE-2023-38496 #1974

Closed
GoVulnBot opened this issue Jul 25, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/apptainer/apptainer: CVE-2023-38496 #1974

GoVulnBot opened this issue Jul 25, 2023 · 1 comment
Labels
duplicate

Comments

@GoVulnBot
Copy link

CVE-2023-38496 references github.com/apptainer/apptainer, which may be a Go module.

Description:
Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/apptainer/apptainer
      vulnerable_at: 1.2.1
      packages:
        - package: apptainer
description: |-
    Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an
    ineffective privilege drop when requesting container network setup, therefore
    subsequent functions are called with root privileges, the attack surface is
    rather limited for users but an attacker could possibly craft a starter config
    to delete any directory on the host filesystems. A security fix has been
    included in Apptainer 1.2.1. There is no known workaround outside of upgrading
    to Apptainer 1.2.1.
cves:
    - CVE-2023-38496
references:
    - advisory: https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx
    - fix: https://github.com/apptainer/apptainer/pull/1523
    - fix: https://github.com/apptainer/apptainer/pull/1578
@tatianab
Copy link
Contributor

Duplicate of #1965

@tatianab tatianab marked this as a duplicate of #1965 Jul 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tatianab @GoVulnBot