{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-65105", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-11-17T20:55:34.693Z", "datePublished": "2025-12-02T17:49:17.312Z", "dateUpdated": "2025-12-02T18:46:30.677Z"}, "containers": {"cna": {"title": "Apptainer ineffective application of selinux and apparmor --security options", "problemTypes": [{"descriptions": [{"cweId": "CWE-61", "lang": "en", "description": "CWE-61: UNIX Symbolic Link (Symlink) Following", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-706", "lang": "en", "description": "CWE-706: Use of Incorrectly-Resolved Name or Reference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/apptainer/apptainer/security/advisories/GHSA-j3rw-fx6g-q46j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/apptainer/apptainer/security/advisories/GHSA-j3rw-fx6g-q46j"}, {"name": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm", "tags": ["x_refsource_MISC"], "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm"}, {"name": "https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87", "tags": ["x_refsource_MISC"], "url": "https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87"}, {"name": "https://github.com/apptainer/apptainer/pull/3226", "tags": ["x_refsource_MISC"], "url": "https://github.com/apptainer/apptainer/pull/3226"}, {"name": "https://github.com/apptainer/apptainer/commit/4313b42717e18a4add7dd7503528bc15af905981", "tags": ["x_refsource_MISC"], "url": "https://github.com/apptainer/apptainer/commit/4313b42717e18a4add7dd7503528bc15af905981"}, {"name": "https://github.com/apptainer/apptainer/commit/82f17900a0c31bc769bf9b4612d271c7068d8bf2", "tags": ["x_refsource_MISC"], "url": "https://github.com/apptainer/apptainer/commit/82f17900a0c31bc769bf9b4612d271c7068d8bf2"}], "affected": [{"vendor": "apptainer", "product": "apptainer", "versions": [{"version": "< 1.4.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-12-02T17:49:17.312Z"}, "descriptions": [{"lang": "en", "value": "Apptainer is an open source container platform. In Apptainer versions less than 1.4.5, a container can disable two of the forms of the little used --security option, in particular the forms --security=apparmor:<profile> and --security=selinux:<label> which otherwise put restrictions on operations that containers can do. The --security option has always been mentioned in Apptainer documentation as being a feature for the root user, although these forms do also work for unprivileged users on systems where the corresponding feature is enabled. Apparmor is enabled by default on Debian-based distributions and SElinux is enabled by default on RHEL-based distributions, but on SUSE it depends on the distribution version. This vulnerability is fixed in 1.4.5."}], "source": {"advisory": "GHSA-j3rw-fx6g-q46j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-02T18:43:58.398576Z", "id": "CVE-2025-65105", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-02T18:46:30.677Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-65105", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-02T18:43:58.398576Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-02T18:44:08.681Z"}}], "cna": {"title": "Apptainer ineffective application of selinux and apparmor --security options", "source": {"advisory": "GHSA-j3rw-fx6g-q46j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "apptainer", "product": "apptainer", "versions": [{"status": "affected", "version": "< 1.4.5"}]}], "references": [{"url": "https://github.com/apptainer/apptainer/security/advisories/GHSA-j3rw-fx6g-q46j", "name": "https://github.com/apptainer/apptainer/security/advisories/GHSA-j3rw-fx6g-q46j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm", "name": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87", "name": "https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/apptainer/apptainer/pull/3226", "name": "https://github.com/apptainer/apptainer/pull/3226", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/apptainer/apptainer/commit/4313b42717e18a4add7dd7503528bc15af905981", "name": "https://github.com/apptainer/apptainer/commit/4313b42717e18a4add7dd7503528bc15af905981", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/apptainer/apptainer/commit/82f17900a0c31bc769bf9b4612d271c7068d8bf2", "name": "https://github.com/apptainer/apptainer/commit/82f17900a0c31bc769bf9b4612d271c7068d8bf2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Apptainer is an open source container platform. In Apptainer versions less than 1.4.5, a container can disable two of the forms of the little used --security option, in particular the forms --security=apparmor:<profile> and --security=selinux:<label> which otherwise put restrictions on operations that containers can do. The --security option has always been mentioned in Apptainer documentation as being a feature for the root user, although these forms do also work for unprivileged users on systems where the corresponding feature is enabled. Apparmor is enabled by default on Debian-based distributions and SElinux is enabled by default on RHEL-based distributions, but on SUSE it depends on the distribution version. This vulnerability is fixed in 1.4.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-61", "description": "CWE-61: UNIX Symbolic Link (Symlink) Following"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-706", "description": "CWE-706: Use of Incorrectly-Resolved Name or Reference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-12-02T17:49:17.312Z"}}}, "cveMetadata": {"cveId": "CVE-2025-65105", "state": "PUBLISHED", "dateUpdated": "2025-12-02T18:46:30.677Z", "dateReserved": "2025-11-17T20:55:34.693Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-12-02T17:49:17.312Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lfprojects:apptainer:*:*:*:*:*:go:*:*", "matchCriteriaId": "3ABF5585-9632-4E5F-AD97-8C1777DA3F55", "versionEndExcluding": "1.4.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apptainer is an open source container platform. In Apptainer versions less than 1.4.5, a container can disable two of the forms of the little used --security option, in particular the forms --security=apparmor:<profile> and --security=selinux:<label> which otherwise put restrictions on operations that containers can do. The --security option has always been mentioned in Apptainer documentation as being a feature for the root user, although these forms do also work for unprivileged users on systems where the corresponding feature is enabled. Apparmor is enabled by default on Debian-based distributions and SElinux is enabled by default on RHEL-based distributions, but on SUSE it depends on the distribution version. This vulnerability is fixed in 1.4.5."}], "id": "CVE-2025-65105", "lastModified": "2025-12-05T19:08:58.887", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-12-02T18:15:48.947", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/apptainer/apptainer/commit/4313b42717e18a4add7dd7503528bc15af905981"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/apptainer/apptainer/commit/82f17900a0c31bc769bf9b4612d271c7068d8bf2"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/apptainer/apptainer/pull/3226"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/apptainer/apptainer/security/advisories/GHSA-j3rw-fx6g-q46j"}, {"source": "security-advisories@github.com", "tags": ["Not Applicable"], "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm"}, {"source": "security-advisories@github.com", "tags": ["Not Applicable"], "url": "https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-61"}, {"lang": "en", "value": "CWE-706"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "Apptainer: Apptainer: Security bypass due to disabling security options", "id": "2418392", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418392"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "(CWE-61|CWE-706)", "details": ["Apptainer is an open source container platform. In Apptainer versions less than 1.4.5, a container can disable two of the forms of the little used --security option, in particular the forms --security=apparmor:<profile> and --security=selinux:<label> which otherwise put restrictions on operations that containers can do. The --security option has always been mentioned in Apptainer documentation as being a feature for the root user, although these forms do also work for unprivileged users on systems where the corresponding feature is enabled. Apparmor is enabled by default on Debian-based distributions and SElinux is enabled by default on RHEL-based distributions, but on SUSE it depends on the distribution version. This vulnerability is fixed in 1.4.5.", "A flaw was found in Apptainer. This vulnerability allows a container to disable the --security=apparmor:<profile> and --security=selinux:<label> options, bypassing security restrictions on container operations via the --security option. This affects unprivileged users on systems where Apparmor or SELinux (Security-Enhanced Linux) are enabled."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2025-65105", "public_date": "2025-12-02T17:49:17Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-65105\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-65105\nhttps://github.com/apptainer/apptainer/commit/4313b42717e18a4add7dd7503528bc15af905981\nhttps://github.com/apptainer/apptainer/commit/82f17900a0c31bc769bf9b4612d271c7068d8bf2\nhttps://github.com/apptainer/apptainer/pull/3226\nhttps://github.com/apptainer/apptainer/security/advisories/GHSA-j3rw-fx6g-q46j\nhttps://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm\nhttps://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87"], "statement": "This vulnerability is rated Moderate for Red Hat because Apptainer, when running containers on RHEL-based systems with SELinux enabled, allows a container to bypass the intended security restrictions provided by the --security=selinux option. This could lead to a reduction in the security posture of the container, even when the option is explicitly used.", "threat_severity": "Moderate"}

{"created": "2025-12-04T16:44:39.192950+00:00", "updated": "2025-12-04T16:44:39.192983+00:00", "vendors": ["debian", "debian$PRODUCT$linux", "lfprojects", "lfprojects$PRODUCT$apptainer", "redhat", "redhat$PRODUCT$enterprise_linux", "sylabs", "sylabs$PRODUCT$singularity"]}