CVE-2023-38496 Vulnerability Details

  /     /     /  

CVE-2023-38496 Metadata Quick Info

CVE Published: 25/07/2023 | CVE Updated: 10/10/2024 | CVE Year: 2023
Source: GitHub_M | Vendor: apptainer | Product: apptainer
Status : PUBLISHED

---

CVE-2023-38496 Description

Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1.

Metrics

CVSS Version: 3.1 | Base Score: 6.1 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)* LOCAL
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* NONE
    User Interaction (UI)* REQUIRED
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* NONE
    Integrity Impact (I)* LOW
    Availability Impact (A)* HIGH

Weakness Enumeration (CWE)

CWE-ID: CWE-271
CWE Name: CWE-271: Privilege Dropping / Lowering Errors
Source: apptainer

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).