CVE-2024-24579: 
Wolfi vulnerability analysis and mitigation

A path traversal vulnerability was discovered in stereoscope when processing OCI tar archives. The vulnerability, identified as CVE-2024-24579, affects versions prior to 0.0.1 of the github.com/anchore/stereoscope package. The issue was disclosed and patched on January 31, 2024, affecting the package's tar archive processing functionality (GitHub Advisory).

The vulnerability exists in the tar archive processing functionality, specifically in the github.com/anchore/stereoscope/pkg/file.UntarToDirectory() function, the github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider struct, and the higher level github.com/anchore/stereoscope/pkg/image.Image.Read() function. The issue has been assigned a CVSS v3.1 score of 5.3 (Moderate) with a vector string of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L. The vulnerability is classified as CWE-22 (GitHub Advisory).

When stereoscope attempts to unarchive contents from a crafted OCI tar archive, it can result in writing to paths outside of the unarchive temporary directory, potentially leading to unauthorized file system access. The vulnerability affects confidentiality, integrity, and availability at a low level (GitHub Advisory).

The vulnerability has been patched in version 0.0.1 of stereoscope. As a workaround, users can switch to using an OCI layout by unarchiving the tar archive and providing the unarchived directory to stereoscope instead of using the OCI archive directly (GitHub Advisory).