Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite does not restrict the kernel capabilities available inside the container, malicious code can remount the directory in rw mode, thereby gaining write access to that directory. This allows malicious code to perform arbitrary write operations on directories that should be read-only. This issue has been patched in version 0.9.0.
Boxlite before version 0.9.0 does not restrict kernel capabilities available inside the container. Malicious code running in the container can exploit these privileges to remount a directory with read-write (rw) flag, thereby bypassing the security measures enforcing read-only mode. As a result, the code gains the ability to write arbitrarily to directories that should be protected.
An attacker can perform arbitrary write operations on directories marked as read-only, which leads to breaking sandbox isolation and compromising the integrity of the host file system or shared resources.
Boxlite should be updated to version 0.9.0, in which the issue was fixed. The patch is available in the project repository on GitHub (tag v0.9.0).
Boxlite in versions prior to 0.9.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N