How severe is CVE-2023-32684?

This vulnerability has a severity rating of LOW with a CVSS score of 2.5 out of 10.

What type of vulnerability is CVE-2023-32684?

This is classified as CWE-552, which is a common weakness in software security.

CVE-2023-32684 - LOW Severity | CVSS 2.5

Vulnerability Description

Lima launches Linux virtual machines, typically on macOS, for running containerd. Prior to version 0.16.0, a virtual machine instance with a malicious disk image could read a single file on the host filesystem, even when no filesystem is mounted from the host. The official templates of Lima and the well-known third party products (Colima, Rancher Desktop, and Finch) are unlikely to be affected by this issue. To exploit this issue, the attacker has to embed the target file path (an absolute or a relative path from the instance directory) in a malicious disk image, as the qcow2 (or vmdk) backing file path string. As Lima refuses to run as the root, it is practically impossible for the attacker to read the entire host disk via `/dev/rdiskN`. Also, practically, the attacker cannot read at least the first 512 bytes (MBR) of the target file. The issue has been patched in Lima in version 0.16.0 by prohibiting using a backing file path in the VM base image.

Related Vulnerabilities

CVE-2019-19018

LOW

CVSS:2.7(Low)

An issue was discovered in TitanHQ WebTitan before 5.18. It exposes a database configuration file under /include/dbconfig.ini in the web administration interface, revealing what database the web appli...

CWE-5522019

CVE-2021-21429

LOW

CVSS:3.3(Low)

OpenAPI Generator allows generation of API client libraries, server stubs, documentation and configuration automatically given an OpenAPI Spec. Using `File.createTempFile` in JDK will result in creati...

CWE-5522021

CVE-2022-42834

LOW

CVSS:3.3(Low)

An access issue was addressed with improved access restrictions. This issue is fixed in macOS Monterey 12.6.3, macOS Ventura 13, macOS Big Sur 11.7.3. An app may be able to access mail folder attachme...

CWE-5522022

CVE-2024-48838

LOW

CVSS:3.3(Low)

Dell SmartFabric OS10 Software, version(s) 10.5.6.x, 10.5.5.x, 10.5.4.x, 10.5.3.x, contain(s) a Files or Directories Accessible to External Parties vulnerability. A low privileged attacker with local ...

CWE-5522024

CVE-2019-4398

MEDIUM

CVSS:4.0(Medium)

IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise 2.5 through 2.5.0.9 and 2.4 through 2.4.0.5 could allow a local user to obtain sensitive information from SessionManagement cookies. IBM X-...

CWE-5522019

CVE-2025-4634

MEDIUM

CVSS:4.1(Medium)

The web portal on airpointer 2.4.107-2 was vulnerable local file inclusion. A malicious user with administrative privileges in the web portal would be able to manipulate requests to view files on the ...

CWE-5522025