First published: Fri Sep 03 2021(Updated: )
A directory traversal vulnerability was found in the ClairCore engine of Clair. An attacker can exploit this by supplying a crafted container image which, when scanned by Clair, allows for arbitrary file write on the filesystem, potentially allowing for remote code execution.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/quay/claircore | <0.5.5 | 0.5.5 |
redhat/quay/claircore | <0.4.8 | 0.4.8 |
Redhat Clair | >=0.4.6<0.4.8 | |
Redhat Clair | >=0.5.3<0.5.5 | |
Redhat Quay | =3.5.6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-3762 is a directory traversal vulnerability found in the ClairCore engine of Clair.
An attacker can exploit CVE-2021-3762 by supplying a crafted container image which, when scanned by Clair, allows for arbitrary file write on the filesystem, potentially allowing for remote code execution.
CVE-2021-3762 has a severity rating of 9.8 (Critical).
The affected software versions are Quay/ClairCore 0.5.5 (up to exclusive), Quay/ClairCore 0.4.8 (up to exclusive), Redhat Clair (version 0.4.6 to 0.4.8), Redhat Clair (version 0.5.3 to 0.5.5), and Redhat Quay 3.5.6 (exactly).
To fix CVE-2021-3762, update the affected software to the recommended versions: Quay/ClairCore 0.5.5 or Quay/ClairCore 0.4.8.