CVE-2024-24579 – github.com/anchore/stereoscope

Package

Manager: go
Name: github.com/anchore/stereoscope
Vulnerable Version: >=0 <0.0.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00055 pctl0.17264

Details

stereoscope vulnerable to tar path traversal when processing OCI tar archives ### Impact It is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory. Specifically, use of `github.com/anchore/stereoscope/pkg/file.UntarToDirectory()` function, the `github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider` struct, or the higher level `github.com/anchore/stereoscope/pkg/image.Image.Read()` function express this vulnerability. ### Patches Patched in v0.0.1 ### Workarounds If you are using the OCI archive as input into stereoscope then you can switch to using an [OCI layout](https://github.com/opencontainers/image-spec/blob/main/image-layout.md) by unarchiving the tar archive and provide the unarchived directory to stereoscope. ### References - Patch PR https://github.com/anchore/stereoscope/pull/214

Metadata

Created: 2024-01-31T22:39:17Z
Modified: 2024-01-31T22:39:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-hpxr-w9w7-g4gv/GHSA-hpxr-w9w7-g4gv.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-hpxr-w9w7-g4gv
Finding: F063
Auto approve: 1