CVE-2021-29136 — Improper Input Validation in Opencontainers Umoci

CWE-20 — Improper Input Validation7 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 64.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Opencontainers Umoci Linuxfoundation Umoci Sylabs Singularity

Timeline

PublishedApr 6

Latest updateAug 21

Description

Open Container Initiative umoci before 0.4.7 allows attackers to overwrite arbitrary host paths via a crafted image that causes symlink traversal when "umoci unpack" or "umoci raw unpack" is used.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶Gogithub.com/opencontainers_umoci< 0.4.7

▶NVDlinuxfoundation/umoci< 0.4.7

▶NVDsylabs/singularity< 3.7.3

Patches

Patch: www.openwall.com ↗Patch: github.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

OSV

Improper input validation in umoci in github.com/opencontainers/umoci↗2024-08-21

▶

OSV

Improper input validation in umoci↗2022-02-15

▶

GHSA

Improper input validation in umoci↗2022-02-15

▶

OSV

CVE-2021-29136: Open Container Initiative umoci before 0↗2021-04-06

▶

CVEList

CVE-2021-29136: Open Container Initiative umoci before 0↗2021-04-06

▶

📋Vendor Advisories

Debian

CVE-2021-29136: umoci - Open Container Initiative umoci before 0.4.7 allows attackers to overwrite arbit...↗2021

▶