Home > Vulnerability Database > CVE-2024-24579

Mend.io Vulnerability Database

CVE-2024-24579

Good to know:

Date: January 31, 2024

stereoscope is a go library for processing container images and simulating a squash filesystem. Prior to version 0.0.1, it is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory. Specifically, use of `github.com/anchore/stereoscope/pkg/file.UntarToDirectory()` function, the `github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider` struct, or the higher level `github.com/anchore/stereoscope/pkg/image.Image.Read()` function express this vulnerability. As a workaround, if you are using the OCI archive as input into stereoscope then you can switch to using an OCI layout by unarchiving the tar archive and provide the unarchived directory to stereoscope.

Language: Go

Severity Score

9.8

Related Resources (4)

Url: https://github.com/anchore/stereoscope/security/advisories/GHSA-hpxr-w9w7-g4gv

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-24579

Url: https://github.com/anchore/stereoscope/commit/09dacab4d9ee65ee8bc7af8ebf4aa7b5aaa36204

Url: https://www.mend.io/vulnerability-database/CVE-2024-24579

Severity Score

9.8

Weakness Type (CWE)

Path Traversal

CWE-22

Top Fix

Upgrade Version

Upgrade to version v0.0.1

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-24579

Good to know:

Date: January 31, 2024

Language: Go

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?