GHSA-JRM4-4PCF-4763
Vulnerability from github – Published: 2026-05-05 22:18 – Updated: 2026-05-05 22:18
VLAI?
Summary
ciguard: Container image runs as root (no USER directive)
Details
Summary
The published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. ciguard is a static analyser with no need for root privileges; running as root inside a container makes any future container-runtime escape CVE more impactful than it needs to be.
Threat scenario
Defence-in-depth gap. Without a known container-runtime CVE in the chain, this finding is not directly exploitable. Recent runc CVEs (e.g. CVE-2024-21626) provided escape primitives that depended on host UID = container UID = 0 for full impact; with this fix, any future such escape primitive lands as a non-root user on the host.
Patch
- Dockerfile adds
RUN groupadd -r ciguard && useradd -r -g ciguard -d /home/ciguard -m -s /usr/sbin/nologin ciguard && chown -R ciguard:ciguard /reports /policies-mount /app. - Followed by
USER ciguardbefore theCMDdirective. - Trivy DS-0002 misconfig clears (
Tests: 20 SUCCESSES: 20 FAILURES: 0).
Discovery
Found by Trivy filesystem scan during ciguard's first self-conducted pentest cycle, 2026-04-26.
CVSS Scoring
- CVSS v3.1:
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N— 2.0 (Low) - CVSS v4.0:
CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N— 3.4 (Low) per Cycle 1 report; GitHub's calc 1.8 (Low). Both Low.
Verification
$ docker run --rm ghcr.io/jo-jo98/ciguard:v0.8.2 id
uid=999(ciguard) gid=999(ciguard) groups=999(ciguard)
Resources
Severity ?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.8.1"
},
"package": {
"ecosystem": "PyPI",
"name": "ciguard"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.0"
},
{
"fixed": "0.8.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44218"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T22:18:15Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "## Summary\n\nThe published `ghcr.io/jo-jo98/ciguard` container image inherits the default root user because the `Dockerfile` lacks a `USER` directive. ciguard is a static analyser with no need for root privileges; running as root inside a container makes any future container-runtime escape CVE more impactful than it needs to be.\n\n## Threat scenario\n\nDefence-in-depth gap. Without a known container-runtime CVE in the chain, this finding is not directly exploitable. Recent runc CVEs (e.g. CVE-2024-21626) provided escape primitives that depended on host UID = container UID = 0 for full impact; with this fix, any future such escape primitive lands as a non-root user on the host.\n\n## Patch\n\n- Dockerfile adds `RUN groupadd -r ciguard \u0026\u0026 useradd -r -g ciguard -d /home/ciguard -m -s /usr/sbin/nologin ciguard \u0026\u0026 chown -R ciguard:ciguard /reports /policies-mount /app`.\n- Followed by `USER ciguard` before the `CMD` directive.\n- Trivy DS-0002 misconfig clears (`Tests: 20 SUCCESSES: 20 FAILURES: 0`).\n\n## Discovery\n\nFound by Trivy filesystem scan during ciguard\u0027s first self-conducted pentest cycle, 2026-04-26.\n\n## CVSS Scoring\n\n- CVSS v3.1: `CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N` \u2014 2.0 (Low)\n- CVSS v4.0: `CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N` \u2014 3.4 (Low) per Cycle 1 report; GitHub\u0027s calc 1.8 (Low). Both Low.\n\n## Verification\n\n```\n$ docker run --rm ghcr.io/jo-jo98/ciguard:v0.8.2 id\nuid=999(ciguard) gid=999(ciguard) groups=999(ciguard)\n```\n\n## Resources\n\n- Fix released in [v0.8.2](https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.2)\n- CI regression gate added in [v0.8.3](https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.3)",
"id": "GHSA-jrm4-4pcf-4763",
"modified": "2026-05-05T22:18:15Z",
"published": "2026-05-05T22:18:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Jo-Jo98/ciguard/security/advisories/GHSA-jrm4-4pcf-4763"
},
{
"type": "PACKAGE",
"url": "https://github.com/Jo-Jo98/ciguard"
},
{
"type": "WEB",
"url": "https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.2"
},
{
"type": "WEB",
"url": "https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ciguard: Container image runs as root (no USER directive)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…