containernetworking/cni improper limitation of path name
Overview
Source
ID
GHSA-xjqr-g762-pxwp
Aliases
CVE-2021-20206
GO-2022-0230
Affected package
Description
An improper limitation of path name flaw was found in containernetworking/cni in versions before 0.8.1. When specifying the plugin to load in the 'type' field in the network configuration, it is possible to use special elements such as "../" separators to reference binaries elsewhere on the system. This flaw allows an attacker to execute other existing binaries other than the cni plugins/types, such as 'reboot'. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. ### Specific Go Packages Affected github.com/containernetworking/cni/pkg/invoke
Impact
Severity
help_outline
Latest version of the CVSS score reported by the source of the advisory.
7.2 HIGH
Reference links
Summary
651
Total packages affected
help_outline
Packages with at least one version that is affected by the advisory or has an affected dependency.
247
Packages with a known fix
help_outline
Packages with versions affected by the advisory that have a greater version that is not affected.
0.05%
Total ecosystem affected
help_outline
The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).
Affected Version: Introduced: 0, Fixed: 0.8.1
Patched/Unaffected
Affected