CVE-2023-32684

Name of the Vulnerable Software and Affected Versions Lima versions prior to 0.16.0

Description A virtual machine instance with a malicious disk image could read a single file on the host filesystem, even when no filesystem is mounted from the host. The attacker has to embed the target file path in a malicious disk image, as the qcow2 (or vmdk) backing file path string. Lima refuses to run as the root, making it practically impossible for the attacker to read the entire host disk via /dev/rdiskN. The attacker also cannot read at least the first 512 bytes (MBR) of the target file.

Recommendations For versions prior to 0.16.0, update to version 0.16.0 or later, which prohibits using a backing file path in the VM base image. As a temporary workaround, do not use an untrusted disk image.