github - ghsa-2hcm-q3f4-fjgw

ghsa-2hcm-q3f4-fjgw

Vulnerability from github

Published

2025-06-18 09:30

Modified

2025-08-07 18:21

Severity ?

5.7 (Medium) - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

Summary

OSV-SCALIBR's Container Image Unpacking Vulnerable to Arbitrary File Write via Path Traversal

Details

Arbitrary file write as the OSV-SCALIBR user on the host system via a path traversal vulnerability when using OSV-SCALIBR's unpack() function for container images. Particularly, when using the CLI flag --remote-image on untrusted container images.

Show details on source website

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/google/osv-scalibr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.3"
            },
            {
              "fixed": "0.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-5981"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-427"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-18T19:45:44Z",
    "nvd_published_at": "2025-06-18T09:15:47Z",
    "severity": "MODERATE"
  },
  "details": "Arbitrary file write as the OSV-SCALIBR user on the host system via a path traversal vulnerability when using OSV-SCALIBR\u0027s unpack()\u00a0function for container images. Particularly, when using the CLI flag --remote-image\u00a0on untrusted container images.",
  "id": "GHSA-2hcm-q3f4-fjgw",
  "modified": "2025-08-07T18:21:23Z",
  "published": "2025-06-18T09:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5981"
    },
    {
      "type": "WEB",
      "url": "https://github.com/google/osv-scalibr/commit/2444419b1818c2d6917fc3394c947fb3276e9d59"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/google/osv-scalibr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/google/osv-scalibr/releases/tag/v0.1.8"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3767"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OSV-SCALIBR\u0027s Container Image Unpacking Vulnerable to Arbitrary File Write via Path Traversal"
}

CVE-2025-5981 (GCVE-0-2025-5981)

Vulnerability from cvelistv5

Published

2025-06-18 08:28

Modified

2025-06-18 13:42

Severity ?

5.7 (Medium) - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

CWE

CWE-427 - Uncontrolled Search Path Element

Summary

Arbitrary file write as the OSV-SCALIBR user on the host system via a path traversal vulnerability when using OSV-SCALIBR's unpack() function for container images. Particularly, when using the CLI flag --remote-image on untrusted container images.

References

►

URL

Tags

	https://github.com/google/osv-scalibr/releases/tag/v0.1.8
	https://github.com/google/osv-scalibr/commit/2444419b1818c2d6917fc3394c947fb3276e9d59

Impacted products

	Vendor	Product	Version
	Google	osv-scalibr	Version: 0.1.3 ≤

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-5981",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-18T13:42:36.658295Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-18T13:42:49.567Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/google/osv-scalibr",
          "defaultStatus": "unaffected",
          "packageName": "osv-scalibr",
          "product": "osv-scalibr",
          "programFiles": [
            "artifact/image/layerscanning/image/image.go"
          ],
          "vendor": "Google",
          "versions": [
            {
              "lessThan": "0.1.8",
              "status": "affected",
              "version": "0.1.3",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Anthony Weems of Google\u0027s Cloud Vulnerability Research team"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Simon Scannell of Google\u0027s Cloud Vulnerability Research team"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Stefan Schiller of Google\u0027s Cloud Vulnerability Research team"
        }
      ],
      "datePublic": "2025-04-24T22:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eArbitrary file write as the OSV-SCALIBR user on the host system via a path traversal vulnerability when using OSV-SCALIBR\u0027s \u003c/span\u003e\u003ccode\u003eunpack()\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;function for container images. Particularly, when using the CLI flag \u003c/span\u003e\u003ccode\u003e--remote-image\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;on untrusted container images.\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "Arbitrary file write as the OSV-SCALIBR user on the host system via a path traversal vulnerability when using OSV-SCALIBR\u0027s unpack()\u00a0function for container images. Particularly, when using the CLI flag --remote-image\u00a0on untrusted container images."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-126",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-126 Path Traversal"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "LOW",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-427",
              "description": "CWE-427 Uncontrolled Search Path Element",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T08:28:02.899Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "url": "https://github.com/google/osv-scalibr/releases/tag/v0.1.8"
        },
        {
          "url": "https://github.com/google/osv-scalibr/commit/2444419b1818c2d6917fc3394c947fb3276e9d59"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Arbitrary File write in OSV-SCALIBR",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2025-5981",
    "datePublished": "2025-06-18T08:28:02.899Z",
    "dateReserved": "2025-06-10T12:31:04.353Z",
    "dateUpdated": "2025-06-18T13:42:49.567Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.