stereoscope is a go library for processing container images and simulating a squash filesystem. Prior to version 0.0.1, it is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory. Specifically, use of `github.com/anchore/stereoscope/pkg/file.UntarToDirectory()` function, the `github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider` struct, or the higher level `github.com/anchore/stereoscope/pkg/image.Image.Read()` function express this vulnerability. As a workaround, if you are using the OCI archive as input into stereoscope then you can switch to using an OCI layout by unarchiving the tar archive and provide the unarchived directory to stereoscope.
References
Configurations
History
21 Nov 2024, 08:59
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.3 |
References | () https://github.com/anchore/stereoscope/commit/09dacab4d9ee65ee8bc7af8ebf4aa7b5aaa36204 - Patch | |
References | () https://github.com/anchore/stereoscope/security/advisories/GHSA-hpxr-w9w7-g4gv - Third Party Advisory |
09 Feb 2024, 16:22
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:anchore:stereoscope:*:*:*:*:*:go:*:* | |
References | () https://github.com/anchore/stereoscope/commit/09dacab4d9ee65ee8bc7af8ebf4aa7b5aaa36204 - Patch | |
References | () https://github.com/anchore/stereoscope/security/advisories/GHSA-hpxr-w9w7-g4gv - Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
First Time |
Anchore
Anchore stereoscope |
31 Jan 2024, 17:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-01-31 17:15
Updated : 2024-11-21 08:59
NVD link : CVE-2024-24579
Mitre link : CVE-2024-24579
CVE.ORG link : CVE-2024-24579
JSON object : View
Products Affected
anchore
- stereoscope
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')