GitHub Advisory DatabaseGHSA-MQ47-6WWV-V79WPath traversal in claircore
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
93.9%
A directory traversal vulnerability was found in the ClairCore engine of Clair. An attacker can exploit this by supplying a crafted container image which, when scanned by Clair, allows for arbitrary file write on the filesystem, potentially allowing for remote code execution.
Affected configurations
References
bugzilla.redhat.com/show_bug.cgi?id=2000795
github.com/advisories/GHSA-mq47-6wwv-v79w
github.com/quay/clair/pull/1379
github.com/quay/clair/pull/1380
github.com/quay/claircore/commit/691f2023a1720a0579e688b69a2f4bfe1f4b7821
github.com/quay/claircore/commit/dff671c665141f126c072de8a744855d4916c9c7
github.com/quay/claircore/commit/ed5f52aec1c82746725e9cc23e98316eab8be25a
github.com/quay/claircore/commits/v0.4.8
github.com/quay/claircore/commits/v0.5.5
github.com/quay/claircore/commits/v1.1.0
github.com/quay/claircore/pull/478
nvd.nist.gov/vuln/detail/CVE-2021-3762
pkg.go.dev/vuln/GO-2022-0346
vulmon.com/exploitdetails?qidtp=maillist_oss_security&qid=d19fce9ede06e13dfb5630ece7f14f83
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
93.9%