Nixpkgs security tracker
9.1 CRITICAL
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): High (H)
- User Interaction (UI): None (N)
- Scope (S): Changed (C)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): High (H)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Changed (C)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): High (H)
Activity log
- Created suggestion
Importing a crafted backup leads to project restriction bypass
In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restrictions. An authenticated remote attacker with instance-creation permission in a restricted project can craft a backup archive where backup.yaml carries restricted settings such as security.privileged=true or raw.lxc directives, bypassing all project restriction enforcement and allowing full host compromise.
References
Affected products
- <5.21.5
- <5.0.7
- <6.8.0
Matching in nixpkgs
pkgs.lxd-ui
Web user interface for LXD
pkgs.lxd-lts
Daemon based on liblxc offering a REST API to manage containers
pkgs.lxd-image-server
Creates and manages a simplestreams lxd image server on top of nginx
pkgs.lxd-unwrapped-lts
Daemon based on liblxc offering a REST API to manage containers
pkgs.python312Packages.pylxd
Library for interacting with the LXD REST API
pkgs.python313Packages.pylxd
Library for interacting with the LXD REST API
pkgs.python314Packages.pylxd
Library for interacting with the LXD REST API
pkgs.terraform-providers.lxd
None
Package maintainers
-
@mkg20001 Maciej Krüger <mkg20001+nix@gmail.com>