CVE-2023-38496 — Improper Privilege Management in Apptainer Apptainer

CWE-269 — Improper Privilege Management CWE-271 — Privilege Dropping / Lowering Errors5 documents4 sources

Severity

3.3LOWNVD

CNA6.1

EPSS

0.0%

top 87.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Apptainer Apptainer Apptainer Lfprojects Apptainer

Timeline

PublishedJul 25

Latest updateAug 20

Description

Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages3 packages

▶Gogithub.com/apptainer_apptainer1.2.0 — 1.2.1

▶CVEListV5apptainer/apptainer>= 1.2.0-rc.2, < 1.2.1

▶NVDlfprojects/apptainer1.2.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Ineffective privileges drop when requesting container network in github.com/apptainer/apptainer↗2024-08-20

▶

OSV

Ineffective privileges drop when requesting container network↗2023-07-25

▶

CVEList

Apptainer's ineffective privileges drop when requesting container network↗2023-07-25

▶

GHSA

Ineffective privileges drop when requesting container network↗2023-07-25

▶