CVE-2024-24579

Tar path traversal in stereoscope when processing OCI tar archives

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

stereoscope is a go library for processing container images and simulating a squash filesystem. Prior to version 0.0.1, it is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory. Specifically, use of `github.com/anchore/stereoscope/pkg/file.UntarToDirectory()` function, the `github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider` struct, or the higher level `github.com/anchore/stereoscope/pkg/image.Image.Read()` function express this vulnerability. As a workaround, if you are using the OCI archive as input into stereoscope then you can switch to using an OCI layout by unarchiving the tar archive and provide the unarchived directory to stereoscope.

stereoscope es una liibrería para procesar imágenes de contenedores y simular un sistema de archivos squash. Antes de la versión 0.0.1, era posible crear un archivo tar OCI que, cuando stereoscope intenta desarchivar el contenido, se escribiría en rutas fuera del directorio temporal de desarchivado. Específicamente, el uso de la función `github.com/anchore/stereoscope/pkg/file.UntarToDirectory()`, la estructura `github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider` o el nivel superior `github. com/anchore/stereoscope/pkg/image.Image.Read()` expresa esta vulnerabilidad. Como workaround, si está utilizando el archivo OCI como entrada en el estereoscopio, puede pasar a utilizar un diseño OCI desarchivando el archivo tar y proporcionando el directorio desarchivado al estereoscopio.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-01-25 CVE Reserved
2024-01-31 CVE Published
2024-02-10 EPSS Updated
2024-08-23 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (2)

URL	Tag	Source
https://github.com/anchore/stereoscope/security/advisories/GHSA-hpxr-w9w7-g4gv	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/anchore/stereoscope/commit/09dacab4d9ee65ee8bc7af8ebf4aa7b5aaa36204	2024-02-09

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Anchore Search vendor "Anchore"		Stereoscope Search vendor "Anchore" for product "Stereoscope"				< 0.0.1 Search vendor "Anchore" for product "Stereoscope" and version " < 0.0.1"		go		Affected