GHSA-HPXR-W9W7-G4GV

Vulnerability from github – Published: 2024-01-31 22:39 – Updated: 2024-01-31 22:39
VLAI?
Summary
stereoscope vulnerable to tar path traversal when processing OCI tar archives
Details

Impact

It is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory. Specifically, use of github.com/anchore/stereoscope/pkg/file.UntarToDirectory() function, the github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider struct, or the higher level github.com/anchore/stereoscope/pkg/image.Image.Read() function express this vulnerability.

Patches

Patched in v0.0.1

Workarounds

If you are using the OCI archive as input into stereoscope then you can switch to using an OCI layout by unarchiving the tar archive and provide the unarchived directory to stereoscope.

References

  • Patch PR https://github.com/anchore/stereoscope/pull/214
Severity ?
5.3 (Medium)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/anchore/stereoscope"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-24579"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-31T22:39:17Z",
    "nvd_published_at": "2024-01-31T17:15:40Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nIt is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory. Specifically, use of `github.com/anchore/stereoscope/pkg/file.UntarToDirectory()` function, the  `github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider` struct, or the higher level `github.com/anchore/stereoscope/pkg/image.Image.Read()` function express this vulnerability.\n\n### Patches\nPatched in v0.0.1\n\n### Workarounds\nIf you are using the OCI archive as input into stereoscope then you can switch to using an [OCI layout](https://github.com/opencontainers/image-spec/blob/main/image-layout.md) by unarchiving the tar archive and provide the unarchived directory to stereoscope.\n\n### References\n- Patch PR https://github.com/anchore/stereoscope/pull/214",
  "id": "GHSA-hpxr-w9w7-g4gv",
  "modified": "2024-01-31T22:39:17Z",
  "published": "2024-01-31T22:39:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/anchore/stereoscope/security/advisories/GHSA-hpxr-w9w7-g4gv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24579"
    },
    {
      "type": "WEB",
      "url": "https://github.com/anchore/stereoscope/commit/09dacab4d9ee65ee8bc7af8ebf4aa7b5aaa36204"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/anchore/stereoscope"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "stereoscope vulnerable to tar path traversal when processing OCI tar archives"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.