9.8

CVE-2021-3762

Exploit
A directory traversal vulnerability was found in the ClairCore engine of Clair. An attacker can exploit this by supplying a crafted container image which, when scanned by Clair, allows for arbitrary file write on the filesystem, potentially allowing for remote code execution.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RedhatClair Version >= 0.4.6 < 0.4.8
RedhatClair Version >= 0.5.3 < 0.5.5
RedhatQuay Version3.5.6
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.51% 0.903
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://bugzilla.redhat.com/show_bug.cgi?id=2000795
Patch
Third Party Advisory
Issue Tracking
https://github.com/quay/clair/pull/1379
Patch
Third Party Advisory
https://github.com/quay/clair/pull/1380
Patch
Third Party Advisory
https://github.com/quay/claircore/commit/691f2023a1720a0579e688b69a2f4bfe1f4b7821
Patch
Third Party Advisory
https://github.com/quay/claircore/pull/478
Patch
Third Party Advisory
https://vulmon.com/exploitdetails?qidtp=maillist_oss_security&qid=d19fce9ede06e13dfb5630ece7f14f83
Third Party Advisory
Exploit