CVE-2023-30549Use After Free in Apptainer

CWE-416Use After Free7 documents5 sources
Severity
7.8HIGHNVD
CNA7.1GHSA5.5OSV5.5
EPSS
0.0%
top 92.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
ApptainerGithub.com Apptainer ApptainerLfprojects Apptainer+1 more
Timeline
PublishedApr 25
Latest updateAug 20

Description

Apptainer is an open source container platform for Linux. There is an ext4 use-after-free flaw that is exploitable through versions of Apptainer < 1.1.0 and installations that include apptainer-suid < 1.1.8 on older operating systems where that CVE has not been patched. That includes Red Hat Enterprise Linux 7, Debian 10 buster (unless the linux-5.10 package is installed), Ubuntu 18.04 bionic and Ubuntu 20.04 focal. Use-after-free flaws in the kernel can be used to attack the kernel for denial o

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5apptainer/apptainer< 1.1.8

Also affects: Enterprise Linux 7.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
Unpatched extfs vulnerabilities are exploitable through suid-mode Apptainer in github.com/apptainer/apptainer2024-08-20
OSV
Unpatched extfs vulnerabilities are exploitable through suid-mode Apptainer2023-04-25
OSV
CVE-2023-30549: Apptainer is an open source container platform for Linux2023-04-25
CVEList
Unpatched extfs vulnerabilities are exploitable through suid-mode Apptainer2023-04-25
GHSA
Unpatched extfs vulnerabilities are exploitable through suid-mode Apptainer2023-04-25

📋Vendor Advisories

1
Debian
CVE-2023-30549: singularity-container - Apptainer is an open source container platform for Linux. There is an ext4 use-a...2023
CVE-2023-30549 — Use After Free in Apptainer | cvebase