CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24579 – Tar path traversal in stereoscope when processing OCI tar archives
https://notcve.org/view.php?id=CVE-2024-24579
stereoscope is a go library for processing container images and simulating a squash filesystem. Prior to version 0.0.1, it is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory. Specifically, use of `github.com/anchore/stereoscope/pkg/file.UntarToDirectory()` function, the `github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider` struct, or the higher level `github.com/anchore/stereoscope/pkg/image.Image.Read()` function express this vulnerability. As a workaround, if you are using the OCI archive as input into stereoscope then you can switch to using an OCI layout by unarchiving the tar archive and provide the unarchived directory to stereoscope. stereoscope es una liibrería para procesar imágenes de contenedores y simular un sistema de archivos squash. Antes de la versión 0.0.1, era posible crear un archivo tar OCI que, cuando stereoscope intenta desarchivar el contenido, se escribiría en rutas fuera del directorio temporal de desarchivado. • https://github.com/anchore/stereoscope/commit/09dacab4d9ee65ee8bc7af8ebf4aa7b5aaa36204 https://github.com/anchore/stereoscope/security/advisories/GHSA-hpxr-w9w7-g4gv • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2023-24827 – Credential disclosure in syft when SYFT_ATTEST_PASSWORD environment variable set in syft
https://notcve.org/view.php?id=CVE-2023-24827
syft is a a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. A password disclosure flaw was found in Syft versions v0.69.0 and v0.69.1. This flaw leaks the password stored in the SYFT_ATTEST_PASSWORD environment variable. The `SYFT_ATTEST_PASSWORD` environment variable is for the `syft attest` command to generate attested SBOMs for the given container image. This environment variable is used to decrypt the private key (provided with `syft attest --key <path-to-key-file>`) during the signing process while generating an SBOM attestation. • https://github.com/anchore/syft/commit/9995950c70e849f9921919faffbfcf46401f71f3 https://github.com/anchore/syft/security/advisories/GHSA-jp7v-3587-2956 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-1766
https://notcve.org/view.php?id=CVE-2022-1766
Anchore Enterprise anchorectl version 0.1.4 improperly stored credentials when generating a Software Bill of Materials. anchorectl will add the credentials used to access Anchore Enterprise API in the Software Bill of Materials (SBOM) generated by anchorectl. Users of anchorectl version 0.1.4 should upgrade to anchorectl version 0.1.5 to resolve this issue. Anchorectl versión 0.1.4, almacena inapropiadamente las credenciales cuando genera una lista de materiales de software. anchorectl añadirá las credenciales usadas para acceder a la API de Anchore Enterprise en la lista de materiales de software (SBOM) generada por anchorectl. Los usuarios de anchorectl versión 0.1.4, deben actualizar a anchorectl versión 0.1.5 para resolver este problema • https://docs.anchore.com/current/docs/releasenotes/401 • CWE-522: Insufficiently Protected Credentials •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2020-11075 – Shell Escape in Anchore Engine
https://notcve.org/view.php?id=CVE-2020-11075
In Anchore Engine version 0.7.0, a specially crafted container image manifest, fetched from a registry, can be used to trigger a shell escape flaw in the anchore engine analyzer service during an image analysis process. The image analysis operation can only be executed by an authenticated user via a valid API request to anchore engine, or if an already added image that anchore is monitoring has its manifest altered to exploit the same flaw. A successful attack can be used to execute commands that run in the analyzer environment, with the same permissions as the user that anchore engine is run as - including access to the credentials that Engine uses to access its own database which have read-write ability, as well as access to the running engien analyzer service environment. By default Anchore Engine is released and deployed as a container where the user is non-root, but if users run Engine directly or explicitly set the user to 'root' then that level of access may be gained in the execution environment where Engine runs. This issue is fixed in version 0.7.1. • https://github.com/anchore/anchore-engine/commit/e41786901f097fd32104447a45864073105d37db https://github.com/anchore/anchore-engine/issues/430 https://github.com/anchore/anchore-engine/pull/431 https://github.com/anchore/anchore-engine/security/advisories/GHSA-w4rm-w22x-h7m5 • CWE-114: Process Control •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1999033
https://notcve.org/view.php?id=CVE-2018-1999033
An exposure of sensitive information vulnerability exists in Jenkins Anchore Container Image Scanner Plugin 10.16 and earlier in AnchoreBuilder.java that allows attackers with Item/ExtendedRead permission or file system access to the Jenkins master to obtain the password stored in this plugin's configuration. Existe una vulnerabilidad de exposición de información sensible en el plugin Anchore Container Image Scanner en Jenkins en versiones 10.16 y anteriores en AnchoreBuilder.java que permite que los atacantes con permisos Item/ExtendedRead o acceso al sistema de archivos del maestro de Jenkins obtengan la contraseña almacenada en la configuración de este plugin. • https://jenkins.io/security/advisory/2018-07-30/#SECURITY-1039 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •