Threats Tagged 'go'

A vulnerability in github.com/sigstore/rekor allows unauthenticated attackers to cause an out-of-memory (OOM) condition via unbounded gzip decompression in Alpine APK parsing. The Package.Unmarshal() function decompresses gzip members into memory without limiting decompressed size, enabling decompression bombs that exhaust heap memory. This affects versions from 0.3.0 up to but not including 1.5.2. The flaw is reachable through two unauthenticated API endpoints. No effective workaround exists as request body size limits do not prevent large decompressed memory usage.

Incus versions prior to 7.2.0 contain a critical vulnerability where a specially crafted container image with a malicious rootfs symlink can lead to arbitrary file read and write on the host system. This occurs because Incus processes a duplicate top-level rootfs symlink that can point to the host root directory, allowing access with root privileges. Exploitation can result in reading sensitive files like /etc/shadow and writing files anywhere on the host, potentially leading to arbitrary command execution.

A vulnerability in Incus (github.com/lxc/incus/v7/cmd/incusd) prior to version 7.2.0 allows an attacker to write arbitrary files on the host by exploiting the `exec-output` symlink in a crafted container image. The `record-output` parameter of the `/instances/$name/exec` endpoint writes command output files to the `exec-output` directory, which if replaced by a symlink, can redirect these files to arbitrary locations on the host filesystem. This can lead to arbitrary command execution via crafted files such as cron jobs.

A vulnerability in Incus server versions prior to 7.2.0 allows bypassing project restrictions via instance snapshots ignoring the restricted.containers.lowlevel=block setting. This enables arbitrary command execution on the host with root privileges by abusing lowlevel hooks such as raw.lxc and raw.qemu. Attackers can craft malicious snapshots locally, transfer them to a restricted project, and restore them to execute commands on the server.

A vulnerability in Incus (github.com/lxc/incus/v7/cmd/incusd) allows a specially crafted container image or instance backup containing a top-level 'templates' symlink to arbitrary file read and write on the host system. This occurs because the tar extraction process does not reject a top-level 'templates' symlink, enabling attackers to map host directories and modify files such as cron jobs, potentially leading to arbitrary command execution. The issue affects versions prior to 7.2.0.

Incus before version 7.1.0 contains a vulnerability in its S3 protocol upload endpoint that allows path traversal via an unsanitized upload ID. This flaw enables an attacker with limited privileges to write arbitrary files on the host system, potentially leading to arbitrary command execution. The vulnerability arises because the upload ID is appended directly to the uploads directory path without proper validation. A proof-of-concept demonstrates exploitation by writing to sensitive system files such as /etc/cron.d, enabling persistent command execution. This vulnerability is classified as critical due to its potential impact on confidentiality, integrity, and availability.

A nil-pointer dereference vulnerability exists in the Incus daemon (incusd) in the function createDependentVolumesFromBackup. An authenticated user with can_create_instances permission can upload a specially crafted instance backup tarball containing malformed dependent volume entries with nil snapshot pointers or missing volume/pool fields. This causes the daemon to panic and crash, resulting in a persistent denial of service. The issue affects versions prior to 7.1.0.

Incus before version 7.2.0 contains a vulnerability where improper validation of the user-supplied backup compression algorithm allows argument injection. This flaw enables an attacker to inject additional command-line arguments to the compression tool, leading to arbitrary file writes on the host system and potentially arbitrary command execution. The vulnerability arises because only the first token of the compression algorithm is validated against an allowlist, while extra arguments are passed unchecked to the compressor command. A proof-of-concept demonstrates writing a malicious cron job file to the host, enabling remote code execution.

A nil-pointer dereference vulnerability exists in the Incus daemon's CreateCustomVolumeFromBackup function, where the ExpiresAt field of volume snapshots is dereferenced without a nil check. An authenticated user with permission to create storage volumes can trigger a daemon crash by uploading a crafted backup tarball missing the expires_at field in volume snapshots, causing a denial of service.

An arbitrary file write vulnerability exists in the Incus client prior to version 7.2.0. This occurs when a malicious image server returns a crafted Incus-Image-Hash header containing path traversal sequences, allowing files to be written outside the intended directory. The vulnerability can lead to arbitrary command execution as root on the server due to the ability to write files such as cron jobs. The file is created and populated before the SHA-256 hash validation occurs, extending the window for exploitation. A proof-of-concept demonstrates how an attacker can exploit this by serving a malicious image with a crafted header and payload.