5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-24579

GHSA ID

GHSA-hpxr-w9w7-g4gv

EPSS Score

0.17291%

CWE

CWE-22

Published

1/31/2024

Updated

2/2/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-24579

CVE-2024-24579: stereoscope vulnerable to tar path traversal when processing OCI tar archives

Impact

It is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory. Specifically, use of github.com/anchore/stereoscope/pkg/file.UntarToDirectory() function, the github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider struct, or the higher level github.com/anchore/stereoscope/pkg/image.Image.Read() function express this vulnerability.

Patches

Patched in v0.0.1

Workarounds

If you are using the OCI archive as input into stereoscope then you can switch to using an OCI layout by unarchiving the tar archive and provide the unarchived directory to stereoscope.

References

Patch PR https://github.com/anchore/stereoscope/pull/214

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-24579

GHSA ID

GHSA-hpxr-w9w7-g4gv

EPSS Score

0.17291%

CWE

CWE-22

Published

1/31/2024

Updated

2/2/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/anchore/stereoscope	go	< 0.0.1	0.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly lists these three components as vulnerable entry points. The commit diff shows UntarToDirectory lacked path traversal checks (no 'strings.HasPrefix' validation) prior to patching. The TarballImageProvider and Image.Read functions are architectural parents that would utilize this vulnerable untarring logic when processing OCI archives, as indicated in both the advisory and CVE description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t It is possi*l* to *r**t *n O*I t*r *r**iv* t**t, w**n st*r*os*op* *tt*mpts to un*r**iv* t** *ont*nts, will r*sult in writin* to p*t*s outsi** o* t** un*r**iv* t*mpor*ry *ir**tory. Sp**i*i**lly, us* o* `*it*u*.*om/*n**or*/st*r*os*op*/pk*/*i

Reasoning

T** vuln*r**ility **s*ription *xpli*itly lists t**s* t*r** *ompon*nts *s vuln*r**l* *ntry points. T** *ommit *i** s*ows Unt*rTo*ir**tory l**k** p*t* tr*v*rs*l ****ks (no 'strin*s.**sPr**ix' v*li**tion) prior to p*t**in*. T** T*r**llIm***Provi**r *n*

5.3

Basic Information

Concerned about an active attack path?

CVE-2024-24579: stereoscope vulnerable to tar path traversal when processing OCI tar archives

Impact

Patches

Workarounds

References

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI