CVE-2021-3762 – A directory traversal vulnerability in ClairCor... (How to Fix)

Q: What is the severity of CVE-2021-3762?

CVE-2021-3762 has a CVSS score of 9.8 (CRITICAL). A directory traversal vulnerability in ClairCore allows attackers to write arbitrary files to the filesystem by uploading a malicious container image. This can lead to remote code execution. Organizations using Clair for container vulnerability scanning are affected.

📋 TL;DR

A directory traversal vulnerability in ClairCore allows attackers to write arbitrary files to the filesystem by uploading a malicious container image. This can lead to remote code execution. Organizations using Clair for container vulnerability scanning are affected.

💻 Affected Systems

Products:

Clair
ClairCore

Versions: Clair v4.x before fixes in PR #1379/1380, ClairCore before commit 691f2023a1720a0579e688b69a2f4bfe1f4b7821

Operating Systems: All platforms running Clair

Default Config Vulnerable: ⚠️ Yes

Notes: Any Clair deployment scanning container images from untrusted sources is vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise, allowing attacker to steal data, deploy malware, or pivot to other systems.

🟠

Likely Case

Arbitrary file write leading to service disruption, data corruption, or privilege escalation within the Clair environment.

🟢

If Mitigated

Limited impact if Clair runs in isolated container with minimal permissions and network access.

🌐 Internet-Facing: HIGH if Clair API is exposed to untrusted networks, as attackers can directly upload malicious images.

🏢 Internal Only: MEDIUM if only internal users can submit images, but insider threats or compromised accounts could exploit it.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires ability to submit container images to Clair for scanning, but no authentication bypass is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Clair v4.1.1+ with ClairCore fixes from PR #478

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=2000795

Restart Required: Yes

Instructions:

1. Update Clair to v4.1.1 or later. 2. Update ClairCore dependency to include commit 691f2023a1720a0579e688b69a2f4bfe1f4b7821. 3. Restart Clair service.

🔧 Temporary Workarounds

Restrict Image Sources

all

Only allow Clair to scan images from trusted registries.

Configure Clair config.yaml to whitelist trusted image repositories

Run Clair with Minimal Privileges

linux

Run Clair container with read-only root filesystem and non-root user.

docker run --read-only --user 1001 quay.io/clair

🧯 If You Can't Patch

Isolate Clair deployment in separate network segment with strict egress filtering.
Implement image signing verification before allowing images to be scanned by Clair.

🔍 How to Verify

Check if Vulnerable:

Check Clair version: if below v4.1.1 or ClairCore doesn't include commit 691f2023a1720a0579e688b69a2f4bfe1f4b7821, it's vulnerable.

Check Version:

clair --version

Verify Fix Applied:

Verify Clair version is v4.1.1+ and check ClairCore commit hash includes 691f2023a1720a0579e688b69a2f4bfe1f4b7821.

📡 Detection & Monitoring

Log Indicators:

Unusual file write operations in Clair logs
Errors from path traversal attempts in scanning logs

Network Indicators:

Unexpected outbound connections from Clair to external systems
Large image uploads from untrusted sources

SIEM Query:

source="clair" AND ("path traversal" OR "directory traversal" OR "../" in request)

📊 Metadata

CVE ID: CVE-2021-3762

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: March 3, 2022

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=2000795 Issue Tracking,Patch,Third Party Advisory
https://github.com/quay/clair/pull/1379 Patch,Third Party Advisory
https://github.com/quay/clair/pull/1380 Patch,Third Party Advisory
https://github.com/quay/claircore/commit/691f2023a1720a0579e688b69a2f4bfe1f4b7821 Patch,Third Party Advisory
https://github.com/quay/claircore/pull/478 Patch,Third Party Advisory
https://vulmon.com/exploitdetails?qidtp=maillist_oss_security&qid=d19fce9ede06e13dfb5630ece7f14f83 Exploit,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2000795 Issue Tracking,Patch,Third Party Advisory
https://github.com/quay/clair/pull/1379 Patch,Third Party Advisory
https://github.com/quay/clair/pull/1380 Patch,Third Party Advisory
https://github.com/quay/claircore/commit/691f2023a1720a0579e688b69a2f4bfe1f4b7821 Patch,Third Party Advisory
https://github.com/quay/claircore/pull/478 Patch,Third Party Advisory
https://vulmon.com/exploitdetails?qidtp=maillist_oss_security&qid=d19fce9ede06e13dfb5630ece7f14f83 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3762, you might also want to check these: