CVE-2023-38496

CVSS V2 None CVSS V3 None

Description

Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1.

Overview

CVE ID
CVE-2023-38496

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2023-07-25T21:02:12.018Z

Last Modified Date
2023-07-25T21:02:12.018Z

Weakness Enumerations

CWE	URL
CWE-271	http://cwe.mitre.org/data/definitions/271.html
CWE-269	http://cwe.mitre.org/data/definitions/269.html

References

Reference URL	Reference Tags
https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx	x_refsource_CONFIRM
https://github.com/apptainer/apptainer/pull/1523	x_refsource_MISC
https://github.com/apptainer/apptainer/pull/1578	x_refsource_MISC

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-38496
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38496

History

Created	Old Value	New Value	Data Type	Notes
2024-06-25 21:28:45				Added to TrackCVE