1. Home
  2. Security Advisories
  3. Go
  4. GO-2024-2658

[GO-2024-2658] Container escape at build time in github.com/containers/buildah

Severity High
Affected Packages 1
Fixed Packages 1
CVEs 1
Info Packages References Vulnerabilities

A crafted container file can use a dummy image with a symbolic link to the host
filesystem as a mount source and cause the mount operation to mount the host
filesystem during a build-time RUN step. The commands inside the RUN step
will then have read-write access to the host filesystem.

Package Affected Version
pkg:golang/github.com/containers/buildah/internal/volumes >= 1.35.0, < 1.35.1
Package Fixed Version
pkg:golang/github.com/containers/buildah/internal/volumes = 1.35.1
ID
GO-2024-2658
Severity
high
Severity from
CVE-2024-1753
URL
https://pkg.go.dev/vuln/GO-2024-2658
Published
2024-03-20T00:01:16
(6 months ago)
Modified
2024-05-14T19:19:00
(4 months ago)
Other Advisories
Source # ID Name URL
Security Advisory https://github.com/advisories/GHSA-pmf3-c36m-g5cf
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Fixed pkg:golang/github.com/containers/buildah/internal/volumes github.com/containers/buildah/internal volumes = 1.35.1
Affected pkg:golang/github.com/containers/buildah/internal/volumes github.com/containers/buildah/internal volumes >= 1.35.0 < 1.35.1
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date