Description
Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx
Patch x_refsource_misc
https://github.com/apptainer/apptainer/pull/1523
Patch x_refsource_misc
https://github.com/apptainer/apptainer/pull/1578
Scores
CVSS v3
6.1
EPSS
0.0024
EPSS Percentile
15.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-269
CWE-271
Status
published
Products (2)
apptainer/apptainer
1.2.0 - 1.2.1Go
lfprojects/apptainer
1.2.0 (2 CPE variants)
Published
Jul 25, 2023
Tracked Since
Feb 18, 2026