CVE-2021-3762

{"id": "CVE-2021-3762", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-03-03T22:15:08.467", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2000795", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://github.com/quay/clair/pull/1379", "tags": ["Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://github.com/quay/clair/pull/1380", "tags": ["Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://github.com/quay/claircore/commit/691f2023a1720a0579e688b69a2f4bfe1f4b7821", "tags": ["Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://github.com/quay/claircore/pull/478", "tags": ["Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://vulmon.com/exploitdetails?qidtp=maillist_oss_security&qid=d19fce9ede06e13dfb5630ece7f14f83", "tags": ["Exploit", "Third Party Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "A directory traversal vulnerability was found in the ClairCore engine of Clair. An attacker can exploit this by supplying a crafted container image which, when scanned by Clair, allows for arbitrary file write on the filesystem, potentially allowing for remote code execution."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad de salto de directorio en el motor ClairCore de Clair. Un atacante puede explotar esto al suministrar una imagen de contenedor dise\u00f1ada que, cuando es escaneada por Clair, permite una escritura de archivos arbitrarios en el sistema de archivos, permitiendo potencialmente una ejecuci\u00f3n de c\u00f3digo remota"}], "lastModified": "2023-01-30T19:17:56.973", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:clair:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DC3746AC-E2FF-414F-8707-CE382C70441B", "versionEndExcluding": "0.4.8", "versionStartIncluding": "0.4.6"}, {"criteria": "cpe:2.3:a:redhat:clair:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A6A00809-457A-4305-94EF-7E523A8B1691", "versionEndExcluding": "0.5.5", "versionStartIncluding": "0.5.3"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:quay:3.5.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "414D3D0A-77F7-4D92-88D6-647F293A86B4"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}