CVE-2024-24579

2024-01-3117:15:40

CWE-22

GitHub_M

web.nvd.nist.gov

stereoscope

go library

container images

security vulnerability

cve-2024-24579

oci tar archive

filesystem

image processing

image simulation

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

0.001

Percentile

39.4%

JSON

stereoscope is a go library for processing container images and simulating a squash filesystem. Prior to version 0.0.1, it is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory. Specifically, use of github.com/anchore/stereoscope/pkg/file.UntarToDirectory() function, the github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider struct, or the higher level github.com/anchore/stereoscope/pkg/image.Image.Read() function express this vulnerability. As a workaround, if you are using the OCI archive as input into stereoscope then you can switch to using an OCI layout by unarchiving the tar archive and provide the unarchived directory to stereoscope.

Affected configurations

Nvd

Vulners

Vulnrichment

Node

anchorestereoscopeRange<0.0.1go

VendorProductVersionCPE
anchorestereoscope*cpe:2.3:a:anchore:stereoscope:*:*:*:*:*:go:*:*

Vendor	Product	Version	CPE
anchore	stereoscope	*	cpe:2.3:a:anchore:stereoscope::::::go::*

CNA Affected

[
  {
    "vendor": "anchore",
    "product": "stereoscope",
    "versions": [
      {
        "version": "< 0.0.1",
        "status": "affected"
      }
    ]
  }
]