// For flags

CVE-2020-11075

Shell Escape in Anchore Engine

Severity Score

9.9
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In Anchore Engine version 0.7.0, a specially crafted container image manifest, fetched from a registry, can be used to trigger a shell escape flaw in the anchore engine analyzer service during an image analysis process. The image analysis operation can only be executed by an authenticated user via a valid API request to anchore engine, or if an already added image that anchore is monitoring has its manifest altered to exploit the same flaw. A successful attack can be used to execute commands that run in the analyzer environment, with the same permissions as the user that anchore engine is run as - including access to the credentials that Engine uses to access its own database which have read-write ability, as well as access to the running engien analyzer service environment. By default Anchore Engine is released and deployed as a container where the user is non-root, but if users run Engine directly or explicitly set the user to 'root' then that level of access may be gained in the execution environment where Engine runs. This issue is fixed in version 0.7.1.

En Anchore Engine versión 0.7.0, un manifiesto de imagen de contenedor especialmente diseñado, extraído de un registro, puede ser utilizado para desencadenar un fallo de escape del shell en el servicio del analizador de anchore engine durante un proceso de análisis de imagen. La operación de análisis de imagen solo puede ser ejecutada por un usuario autenticado por medio de una petición de API válida al anchore engine, o si una imagen ya agregada que anchore está monitoreando tiene su manifiesto alterado para explotar el mismo fallo. Un ataque con éxito puede ser utilizado para ejecutar comandos que son realizados en el entorno del analizador, con los mismos permisos que el usuario que ejecuta anchore engine, incluido el acceso a las credenciales que usa Engine para acceder a su propia base de datos que tiene capacidad de lectura y escritura, así como también acceso al entorno de servicio del analizador de engine en ejecución. Por defecto, Anchore Engine es iniciado y se despliega como un contenedor donde el usuario no es root, pero si los usuarios ejecutan Engine directa o explícitamente configuran al usuario como "root", entonces ese nivel de acceso puede ser alcanzado en el entorno de ejecución donde se ejecuta Engine. Este problema es corregido en la versión 0.7.1.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-03-30 CVE Reserved
  • 2020-05-27 CVE Published
  • 2023-05-16 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-114: Process Control
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Anchore
Search vendor "Anchore"
 Engine
Search vendor "Anchore" for product "Engine"
 0.7.0
Search vendor "Anchore" for product "Engine" and version "0.7.0"
-
Affected