Incus Pongo2 Template Arbitrary File Read/Write Vulnerability

A vulnerability in Incus, a system container and virtual machine manager, prior to version 6.23.0, allows arbitrary file read and write operations as root on the host server. This issue arises from the implementation of pongo2 templates within instances, which can be used to template files during the instance lifecycle. The expectation was that the pongo2 chroot feature would confine access to the instance's filesystem. However, the chroot isolation is bypassed by pongo2, enabling unrestricted access to the entire system's filesystem with root privileges.

Impact

Exploitation of this vulnerability allows for arbitrary file read and write operations on the host server as root, potentially leading to unauthorized access or modification of critical system files.

Remediation

Users can upgrade to Incus version 6.23.0 or later to address this vulnerability.