SCA: security update for github.com/lima-vm/lima (GHSA-f7qw-jj9c-rpq9)

low Tenable Self-Hosted Container Security Plugin ID 414364

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Lima launches Linux virtual machines, typically on macOS, for running containerd. Prior to version 0.16.0,
a virtual machine instance with a malicious disk image could read a single file on the host filesystem,
even when no filesystem is mounted from the host. The official templates of Lima and the well-known third
party products (Colima, Rancher Desktop, and Finch) are unlikely to be affected by this issue. To exploit
this issue, the attacker has to embed the target file path (an absolute or a relative path from the
instance directory) in a malicious disk image, as the qcow2 (or vmdk) backing file path string. As Lima
refuses to run as the root, it is practically impossible for the attacker to read the entire host disk via
`/dev/rdiskN`. Also, practically, the attacker cannot read at least the first 512 bytes (MBR) of the
target file. The issue has been patched in Lima in version 0.16.0 by prohibiting using a backing file path
in the VM base image. (CVE-2023-32684)

See Also

https://github.com/advisories/GHSA-f7qw-jj9c-rpq9

Plugin Details

Severity: Low

ID: 414364

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Low

Base Score: 1.2

Temporal Score: 0.9

Vector: CVSS2#AV:L/AC:H/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2023-32684

CVSS v3

Risk Factor: Low

Base Score: 2.5

Temporal Score: 2.2

Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/31/2023

Vulnerability Publication Date: 5/30/2023

Reference Information

CVE: CVE-2023-32684

cwe: CWE-552