CVE-2021-3762 - OpenCVE

A directory traversal vulnerability was found in the ClairCore engine of Clair. An attacker can exploit this by supplying a crafted container image which, when scanned by Clair, allows for arbitrary file write on the filesystem, potentially allowing for remote code execution.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Clair Quay

Configuration 1 [-]

OR	cpe:2.3:a:redhat:clair::::::::
	cpe:2.3:a:redhat:clair::::::::

Configuration 2 [-]

cpe:2.3:a:redhat:quay:3.5.6:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Quay 3
quay/clair-rhel8:v3.5.7-8	cpe:/a:redhat:quay:3::el8	RHSA-2021:3665	2021-09-28T00:00:00Z

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=2000795
https://github.com/quay/clair/pull/1379
https://github.com/quay/clair/pull/1380
https://github.com/quay/claircore/commit/691f2023a1720a0579e688b69a2f4bfe1f4b7821
https://github.com/quay/claircore/pull/478
https://nvd.nist.gov/vuln/detail/CVE-2021-3762
https://vulmon.com/exploitdetails?qidtp=maillist_oss_security&qid=d19fce9ede06e13dfb5630ece7f14f83
https://www.cve.org/CVERecord?id=CVE-2021-3762

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2022-03-03T21:41:19

Updated: 2024-08-03T17:09:08.890Z

Reserved: 2021-09-03T00:00:00

Link: CVE-2021-3762

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-03-03T22:15:08.467

Modified: 2023-01-30T19:17:56.973

Link: CVE-2021-3762

Redhat

Severity : Critical

Publid Date: 2021-09-28T12:00:00Z

Links: CVE-2021-3762 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "quay/claircore", "vendor": "n/a", "versions": [{"status": "affected", "version": "Affects v0.4.6 and higher, v0.5.3 and higher | Fixedin claircore v0.4.8, v0.5.5."}]}], "descriptions": [{"lang": "en", "value": "A directory traversal vulnerability was found in the ClairCore engine of Clair. An attacker can exploit this by supplying a crafted container image which, when scanned by Clair, allows for arbitrary file write on the filesystem, potentially allowing for remote code execution."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-03T21:41:19", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2000795"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/quay/claircore/pull/478"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/quay/clair/pull/1379"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/quay/clair/pull/1380"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/quay/claircore/commit/691f2023a1720a0579e688b69a2f4bfe1f4b7821"}, {"tags": ["x_refsource_MISC"], "url": "https://vulmon.com/exploitdetails?qidtp=maillist_oss_security&qid=d19fce9ede06e13dfb5630ece7f14f83"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2021-3762", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "quay/claircore", "version": {"version_data": [{"version_value": "Affects v0.4.6 and higher, v0.5.3 and higher | Fixedin claircore v0.4.8, v0.5.5."}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A directory traversal vulnerability was found in the ClairCore engine of Clair. An attacker can exploit this by supplying a crafted container image which, when scanned by Clair, allows for arbitrary file write on the filesystem, potentially allowing for remote code execution."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=2000795", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2000795"}, {"name": "https://github.com/quay/claircore/pull/478", "refsource": "MISC", "url": "https://github.com/quay/claircore/pull/478"}, {"name": "https://github.com/quay/clair/pull/1379", "refsource": "MISC", "url": "https://github.com/quay/clair/pull/1379"}, {"name": "https://github.com/quay/clair/pull/1380", "refsource": "MISC", "url": "https://github.com/quay/clair/pull/1380"}, {"name": "https://github.com/quay/claircore/commit/691f2023a1720a0579e688b69a2f4bfe1f4b7821", "refsource": "MISC", "url": "https://github.com/quay/claircore/commit/691f2023a1720a0579e688b69a2f4bfe1f4b7821"}, {"name": "https://vulmon.com/exploitdetails?qidtp=maillist_oss_security&qid=d19fce9ede06e13dfb5630ece7f14f83", "refsource": "MISC", "url": "https://vulmon.com/exploitdetails?qidtp=maillist_oss_security&qid=d19fce9ede06e13dfb5630ece7f14f83"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:09:08.890Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2000795"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/quay/claircore/pull/478"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/quay/clair/pull/1379"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/quay/clair/pull/1380"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/quay/claircore/commit/691f2023a1720a0579e688b69a2f4bfe1f4b7821"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://vulmon.com/exploitdetails?qidtp=maillist_oss_security&qid=d19fce9ede06e13dfb5630ece7f14f83"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2021-3762", "datePublished": "2022-03-03T21:41:19", "dateReserved": "2021-09-03T00:00:00", "dateUpdated": "2024-08-03T17:09:08.890Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:clair:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC3746AC-E2FF-414F-8707-CE382C70441B", "versionEndExcluding": "0.4.8", "versionStartIncluding": "0.4.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:clair:*:*:*:*:*:*:*:*", "matchCriteriaId": "A6A00809-457A-4305-94EF-7E523A8B1691", "versionEndExcluding": "0.5.5", "versionStartIncluding": "0.5.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:quay:3.5.6:*:*:*:*:*:*:*", "matchCriteriaId": "414D3D0A-77F7-4D92-88D6-647F293A86B4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A directory traversal vulnerability was found in the ClairCore engine of Clair. An attacker can exploit this by supplying a crafted container image which, when scanned by Clair, allows for arbitrary file write on the filesystem, potentially allowing for remote code execution."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad de salto de directorio en el motor ClairCore de Clair. Un atacante puede explotar esto al suministrar una imagen de contenedor dise\u00f1ada que, cuando es escaneada por Clair, permite una escritura de archivos arbitrarios en el sistema de archivos, permitiendo potencialmente una ejecuci\u00f3n de c\u00f3digo remota"}], "id": "CVE-2021-3762", "lastModified": "2023-01-30T19:17:56.973", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-03T22:15:08.467", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2000795"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/quay/clair/pull/1379"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/quay/clair/pull/1380"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/quay/claircore/commit/691f2023a1720a0579e688b69a2f4bfe1f4b7821"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/quay/claircore/pull/478"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://vulmon.com/exploitdetails?qidtp=maillist_oss_security&qid=d19fce9ede06e13dfb5630ece7f14f83"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Yanir Tsarimi (Orca Security) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2021:3665", "cpe": "cpe:/a:redhat:quay:3::el8", "impact": "important", "package": "quay/clair-rhel8:v3.5.7-8", "product_name": "Red Hat Quay 3", "release_date": "2021-09-28T00:00:00Z"}], "bugzilla": {"description": "quay/claircore: directory traversal when scanning crafted container image layer allows for arbitrary file write", "id": "2000795", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2000795"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-22", "details": ["A directory traversal vulnerability was found in the ClairCore engine of Clair. An attacker can exploit this by supplying a crafted container image which, when scanned by Clair, allows for arbitrary file write on the filesystem, potentially allowing for remote code execution.", "A directory traversal vulnerability was found in the ClairCore engine of Clair. An attacker can exploit this by supplying a crafted container image which, when scanned by Clair, allows for arbitrary file write on the filesystem, potentially allowing for remote code execution."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2021-3762", "public_date": "2021-09-28T12:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-3762\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3762"], "statement": "Only a single version of Red Hat Quay, 3.5.6 is affected by this vulnerability. All previous released versions of Red Hat Quay are not affected by this vulnerability.\nThe overall vulnerability is rated as Critical for the ClairCore engine, but only rated Important for the Red Hat Quay product. In Red Hat Quay, Clair runs as the 'nobody' user in an unprivileged container, limiting the impact to modification of non-sensitives files in that container.\nRed Hat Advanced Cluster Security is not affected by this vulnerability.\nQuay.io is not affected by this vulnerability.", "threat_severity": "Critical", "upstream_fix": "quay/claircore 0.5.5, quay/claircore 0.4.8"}