Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-mmx5-32m4-wxvx: Ineffective privileges drop when requesting container network

Impact

Fix https://github.com/apptainer/apptainer/pull/1523 included in Apptainer 1.2.0-rc.2 has introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges. The attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. Only affects setuid installations of Apptainer.

Patches

The security fix https://github.com/apptainer/apptainer/pull/1578 has been included in Apptainer 1.2.1

Workarounds

There is no known workaround outside of upgrading to Apptainer 1.2.1

ghsa
#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-38496

Ineffective privileges drop when requesting container network

Moderate severity GitHub Reviewed Published Jul 24, 2023 in apptainer/apptainer • Updated Jul 25, 2023

Package

gomod github.com/apptainer/apptainer (Go)

Affected versions

>= 1.2.0, < 1.2.1

Impact

Fix apptainer/apptainer#1523 included in Apptainer 1.2.0-rc.2 has introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges. The attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. Only affects setuid installations of Apptainer.

Patches

The security fix apptainer/apptainer#1578 has been included in Apptainer 1.2.1

Workarounds

There is no known workaround outside of upgrading to Apptainer 1.2.1

References

  • GHSA-mmx5-32m4-wxvx
  • apptainer/apptainer#1578

Published to the GitHub Advisory Database

Jul 25, 2023

Last updated

Jul 25, 2023

Related news

CVE-2023-38496: Ineffective privileges drop when requesting container network

Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1.

ghsa: Latest News

GHSA-8gc2-vq6m-rwjw: Amazon Redshift Python Connector vulnerable to SQL Injection