Vulnerability Report: GO-2024-2490

CVE-2024-24579, GHSA-hpxr-w9w7-g4gv
Affects: github.com/anchore/stereoscope
Published: Feb 13, 2024
Modified: May 20, 2024

It is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory.

For detailed information about this vulnerability, visit https://github.com/anchore/stereoscope/security/advisories/GHSA-hpxr-w9w7-g4gv.

Affected Packages

Path

Go Versions

Symbols
github.com/anchore/stereoscope/pkg/file

before v0.0.1
- UntarToDirectory

Aliases

CVE-2024-24579
GHSA-hpxr-w9w7-g4gv

References

https://github.com/anchore/stereoscope/security/advisories/GHSA-hpxr-w9w7-g4gv
https://github.com/anchore/stereoscope/commit/09dacab4d9ee65ee8bc7af8ebf4aa7b5aaa36204
https://vuln.go.dev/ID/GO-2024-2490.json

Credits

@wagoodman, @joshbressers, @nurmi

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL