CVE-2021-3762

CWE-22 — Path Traversal6 documents5 sources

Severity

9.8CRITICAL

EPSS

8.7%

top 7.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Quay/claircore Redhat Clair Quay Claircore +1 more

Timeline

PublishedMar 3

Latest updateJul 15

Description

A directory traversal vulnerability was found in the ClairCore engine of Clair. An attacker can exploit this by supplying a crafted container image which, when scanned by Clair, allows for arbitrary file write on the filesystem, potentially allowing for remote code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶Gogithub.com/quay/claircore1.0.0 — 1.1.0+3

▶CVEListV5quay/claircoreAffects v0.4.6 and higher, v0.5.3 and higher | Fixedin claircore v0.4.8, v0.5.5.

▶NVDredhat/clair0.4.6 — 0.4.8+1

▶NVDredhat/quay3.5.6

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Path traversal in github.com/quay/claircore↗2022-07-15

▶

OSV

Path traversal in claircore↗2022-03-04

▶

GHSA

Path traversal in claircore↗2022-03-04

▶

CVEList

CVE-2021-3762: A directory traversal vulnerability was found in the ClairCore engine of Clair↗2022-03-03

▶

📋Vendor Advisories

Red Hat

quay/claircore: directory traversal when scanning crafted container image layer allows for arbitrary file write↗2021-09-28

▶