Impact
Trivy, a container vulnerability scanner, stores OCI artifact layers to disk using the org.opencontainers.image.title annotation from the manifest as the destination filename. Before version 0.71.1 this value is accepted without validation. An attacker able to influence which artifact Trivy retrieves can supply a crafted annotation that resolves to a path outside the intended extraction directory, causing Trivy to write the layer contents to an arbitrary file on the host filesystem. This flaw permits unauthorized file creation or overwriting, potentially allowing modification of configuration files, installation of malicious payloads, or subsequent local code execution, thereby endangering the integrity and confidentiality of the host environment.
Affected Systems
Affected systems are installations of Trivy produced by Aquasecurity with a version older than 0.71.1. Any instance of the tool that downloads OCI artifacts is vulnerable, regardless of how it is invoked. The vulnerability is fixed in Trivy 0.71.1 and later releases. There are no known vendor patches for older releases besides updating the tool.
Risk and Exploitability
The flaw carries a CVSS score of 7, classifying it as high severity. Exploitation requires Trivy to fetch a maliciously crafted OCI artifact, which in turn necessitates either control over the registry from which the artifact is pulled or influence over the artifact reference used by the scanner. EPSS data is not available and the vulnerability is not listed in CISA's KEV catalog, indicating that widespread exploitation has not yet been observed. Nevertheless, once the attacker can supply the artifact, the ability to write to arbitrary locations on the host where Trivy runs can lead to privilege escalation or remote code execution if the host permissions are sufficiently high.
OpenCVE Enrichment