CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
39.4%
stereoscope is a go library for processing container images and simulating a squash filesystem. Prior to version 0.0.1, it is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory. Specifically, use of github.com/anchore/stereoscope/pkg/file.UntarToDirectory()
function, the github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider
struct, or the higher level github.com/anchore/stereoscope/pkg/image.Image.Read()
function express this vulnerability. As a workaround, if you are using the OCI archive as input into stereoscope then you can switch to using an OCI layout by unarchiving the tar archive and provide the unarchived directory to stereoscope.
Vendor | Product | Version | CPE |
---|---|---|---|
anchore | stereoscope | * | cpe:2.3:a:anchore:stereoscope:*:*:*:*:*:go:*:* |
[
{
"vendor": "anchore",
"product": "stereoscope",
"versions": [
{
"version": "< 0.0.1",
"status": "affected"
}
]
}
]