CVE-2023-38496
6.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Summary
Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| apptainer | apptainer | >= 1.2.0-rc.2, < 1.2.1 | affected |
Weaknesses
- CWE-271: CWE-271: Privilege Dropping / Lowering Errors
- CWE-269: CWE-269: Improper Privilege Management
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx
- https://github.com/apptainer/apptainer/pull/1523
- https://github.com/apptainer/apptainer/pull/1578
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx
- https://github.com/apptainer/apptainer/pull/1523
- https://github.com/apptainer/apptainer/pull/1578
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.