PT-2024-20466 · Unknown · Stereoscope
Wagoodman
·
Published
2024-01-31
·
Updated
2024-02-13
·
CVE-2024-24579
CVSS v3.1
5.3
Medium
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
stereoscope versions prior to 0.0.1
Description
It is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory. This issue is related to the use of the
github.com/anchore/stereoscope/pkg/file.UntarToDirectory() function, the github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider struct, or the higher level github.com/anchore/stereoscope/pkg/image.Image.Read() function.Recommendations
As a temporary workaround, consider switching to using an OCI layout by unarchiving the tar archive and providing the unarchived directory to stereoscope.
For versions prior to 0.0.1, update to version 0.0.1 to resolve the issue.
Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Stereoscope