CVE-2023-38496 MEDIUM

CVE-2023-38496: Apptainer's ineffective privileges drop when requesting container network

Vendor Apptainer
Product apptainer
Weakness CWE-271
Published July 25, 2023
Last update October 10, 2024

CVSS base score

6.1/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

What the vulnerability does

01Description

Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1.

Key dates

02Disclosure timeline

July 25, 2023 CVE published
October 10, 2024 Record updated