The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-24579

CVE-2024-24579: Anchore Stereoscope Path Traversal Flaw

CVE-2024-24579 is a path traversal vulnerability in Anchore Stereoscope that enables attackers to write files outside temporary directories via crafted OCI archives. This article covers technical details, impact, and solutions.

Published: April 8, 2026

CVE-2024-24579 Overview

CVE-2024-24579 is a path traversal vulnerability in Anchore Stereoscope, a Go library used for processing container images and simulating a squash filesystem. Prior to version 0.0.1, attackers can craft a malicious OCI tar archive that, when processed by stereoscope's unarchive functionality, results in arbitrary file writes to paths outside of the intended unarchive temporary directory.

Critical Impact

This path traversal vulnerability enables attackers to write arbitrary files to the filesystem outside the expected extraction directory, potentially leading to remote code execution, system compromise, or data manipulation when processing untrusted container images.

Affected Products

  • Anchore Stereoscope versions prior to 0.0.1
  • Applications using github.com/anchore/stereoscope/pkg/file.UntarToDirectory() function
  • Applications using github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider struct
  • Applications using github.com/anchore/stereoscope/pkg/image.Image.Read() function

Discovery Timeline

  • 2024-01-31 - CVE-2024-24579 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-24579

Vulnerability Analysis

This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal. The flaw exists in how stereoscope handles the extraction of OCI tar archives. When processing container images in OCI tar format, the library fails to properly validate and sanitize file paths contained within the archive before writing extracted files to disk.

An attacker can exploit this by embedding malicious path components (such as ../ sequences) within file entries of a crafted OCI tar archive. When stereoscope processes this archive, it follows these unsanitized paths, allowing files to be written outside the designated temporary extraction directory to arbitrary locations on the filesystem.

Root Cause

The root cause lies in insufficient path validation during the tar extraction process. Specifically, the vulnerable functions—UntarToDirectory(), TarballImageProvider, and Image.Read()—do not adequately check whether resolved file paths remain within the intended extraction directory boundary. This allows relative path components in archive entries to escape the extraction directory.

Attack Vector

The attack is network-exploitable without requiring authentication or user interaction. An attacker can exploit this vulnerability by:

  1. Crafting a malicious OCI tar archive containing entries with path traversal sequences (e.g., ../../etc/cron.d/malicious)
  2. Providing this malicious archive to an application that uses stereoscope for container image processing
  3. When the application attempts to extract and process the OCI archive, files are written to attacker-controlled locations on the filesystem

The vulnerability allows writing arbitrary files with the privileges of the process running stereoscope. This can lead to overwriting critical system files, planting malicious scripts for later execution, or establishing persistence mechanisms.

The vulnerability manifests in the tar extraction process within stereoscope's OCI archive handling. When processing archive entries, the library fails to validate that the resolved extraction path remains within the designated temporary directory. Malicious archives can include entries with relative path components that, when resolved during extraction, point to locations outside the intended directory. For detailed technical information, see the GitHub Security Advisory and the patch commit.

Detection Methods for CVE-2024-24579

Indicators of Compromise

  • Unexpected files appearing in directories outside container image extraction paths
  • Suspicious file creation events in sensitive system directories (e.g., /etc/, /usr/, /var/)
  • Container image processing logs showing unusual file paths with ../ sequences
  • Unexplained modifications to system configuration files or cron jobs

Detection Strategies

  • Monitor file system write operations during container image processing for path traversal patterns
  • Implement application-level logging to capture all file paths being extracted from OCI archives
  • Use file integrity monitoring (FIM) solutions to detect unauthorized file modifications in critical directories
  • Review stereoscope dependency versions in Go modules (go.mod) to identify vulnerable versions

Monitoring Recommendations

  • Enable audit logging for file creation events, particularly in system directories
  • Monitor process activity of applications using stereoscope for suspicious file operations
  • Implement container image scanning to detect malicious archives before processing
  • Set up alerts for any file writes outside expected container working directories

How to Mitigate CVE-2024-24579

Immediate Actions Required

  • Upgrade Anchore Stereoscope to version 0.0.1 or later immediately
  • Audit applications using stereoscope to identify exposure to untrusted OCI archives
  • Restrict the sources of container images to trusted registries only
  • Review file system permissions to limit the impact of potential arbitrary file writes

Patch Information

The vulnerability has been addressed in stereoscope version 0.0.1. The fix is available in commit 09dacab4d9ee65ee8bc7af8ebf4aa7b5aaa36204. Organizations should update their Go dependencies to pull the patched version. Review the official patch commit for implementation details.

Workarounds

  • Switch from OCI tar archive input to OCI layout format by manually unarchiving the tar archive first
  • Provide the unarchived directory to stereoscope instead of the tar archive directly
  • Run stereoscope-based applications in isolated environments with restricted filesystem access
  • Implement additional path validation at the application level before processing OCI archives
bash
# Workaround: Convert OCI tar archive to OCI layout before processing
# Instead of using the tar archive directly, extract it first
mkdir -p /tmp/oci-layout
tar -xf container-image.tar -C /tmp/oci-layout

# Then provide the extracted directory path to your stereoscope-based application
# This avoids the vulnerable tar extraction code path

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePath Traversal
  • Vendor/TechAnchore Stereoscope
  • SeverityCRITICAL
  • CVSS Score9.8
  • EPSS Probability0.07%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-22
  • Technical References
  • GitHub Security Advisory
  • Vendor Resources
  • GitHub Commit Reference
  • Latest CVEs
  • CVE-2025-70797: LimeSurvey XSS Vulnerability
  • CVE-2025-30650: Juniper Junos OS Auth Bypass Vulnerability
  • CVE-2026-5980: D-Link DIR-605L Buffer Overflow Flaw
  • CVE-2026-5979: D-Link DIR-605L Buffer Overflow Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English