CVE-2023-38496

CVSS v3.1

6.1

Medium

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

Name of the Vulnerable Software and Affected Versions Apptainer versions 1.2.0-rc.2 through 1.2.0

Description Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges. The attack surface is rather limited for users, but an attacker could possibly craft a starter config to delete any directory on the host filesystems.

Recommendations For Apptainer versions 1.2.0-rc.2, upgrade to Apptainer 1.2.1 to resolve the issue. There is no known workaround outside of upgrading to Apptainer 1.2.1.

Exploit

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-271CWE-269

Related Identifiers

CVE-2023-38496

GHSA-MMX5-32M4-WXVX

GO-2023-1965

OPENSUSE-SU-2024:0244-1

OPENSUSE-SU-2024:13073-1

Affected Products

Apptainer

CVE-2023-38496

Weakness Enumeration

Related Identifiers

Affected Products

References · 20