[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2021-3762 quay/claircore: directory traversal when scanning crafted container ima
From: Przemyslaw Roguski <proguski () redhat ! com>
Date: 2021-09-29 18:20:22
Message-ID: CAGGkMiuFnMtwuUOeP7zdtf0dryKk0JLHfnHAk0uCzioKWeWKfw () mail ! gmail ! com
[Download RAW message or body]
Hello,
A directory traversal vulnerability was found in the ClairCore engine of
Clair.
An attacker can exploit this by supplying a crafted container image which,
when scanned by Clair, allows for arbitrary file write on the filesystem,
potentially allowing for remote code execution.
Red Hat has assigned CVE-2021-3762 to this vulnerability.
These issues have been rated Critical, with a CVSS:
9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
### Affected Versions
ClairCore 0.4.6 release and higher (Clair v4.1.4 and higher)
ClairCore 0.5.3 release and higher (Clair v4.2.1 and higher)
### Fixed Versions
ClairCore v0.4.8 (shipped in Clair v4.1.6)
ClairCore v0.5.5 (shipped in Clair v4.2.3)
### Fixes
https://github.com/quay/claircore/pull/478
https://github.com/quay/clair/pull/1379
https://github.com/quay/clair/pull/1380
## Acknowledgements
Yanir Tsarimi
twitter.com/Yanir_
(Orca Security)
Best regards,
Przemyslaw Roguski
--
Przemyslaw Roguski / Red Hat Product Security
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic