CVE-2023-38496

2023-07-2522:15:10

CWE-269

CWE-271

[email protected]

web.nvd.nist.gov

apptainer

container platform

root privilege escalation

network setup

security fix

version 1.2.1

CVSS3

3.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

20.2%

JSON

Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1.

Affected configurations

Nvd

Node

lfprojectsapptainerMatch1.2.0-go

lfprojectsapptainerMatch1.2.0rc2go

VendorProductVersionCPE
lfprojectsapptainer1.2.0cpe:2.3:a:lfprojects:apptainer:1.2.0:-:*:*:*:go:*:*
lfprojectsapptainer1.2.0cpe:2.3:a:lfprojects:apptainer:1.2.0:rc2:*:*:*:go:*:*

Vendor	Product	Version	CPE
lfprojects	apptainer	1.2.0	cpe:2.3:a:lfprojects:apptainer:1.2.0:-::::go::*
lfprojects	apptainer	1.2.0	cpe:2.3:a:lfprojects:apptainer:1.2.0:rc2::::go::*