[GO-2024-2658] Container escape at build time in github.com/containers/buildah
Severity
High
Affected Packages
1
Fixed Packages
1
CVEs
1
A crafted container file can use a dummy image with a symbolic link to the host
filesystem as a mount source and cause the mount operation to mount the host
filesystem during a build-time RUN step. The commands inside the RUN step
will then have read-write access to the host filesystem.
Package | Affected Version |
---|---|
pkg:golang/github.com/containers/buildah/internal/volumes | >= 1.35.0, < 1.35.1 |
Package | Fixed Version |
---|---|
pkg:golang/github.com/containers/buildah/internal/volumes | = 1.35.1 |
- ID
- GO-2024-2658
- Severity
- high
- Severity from
- CVE-2024-1753
- URL
- https://pkg.go.dev/vuln/GO-2024-2658
- Published
-
2024-03-20T00:01:16
(6 months ago) - Modified
-
2024-05-14T19:19:00
(4 months ago) - Other Advisories
-
- ALPINE:CVE-2024-1753
- ALSA-2024:2055
- ALSA-2024:2084
- ALSA-2024:2098
- ALSA-2024:2548
- ALSA-2024:3254
- ELSA-2024-2055
- ELSA-2024-2084
- ELSA-2024-2098
- ELSA-2024-2548
- ELSA-2024-3254
- FEDORA-2024-8409b5fa8e
- FEDORA-2024-a267e93f8c
- FEDORA-2024-dd32f390b3
- GLSA-202407-12
- GLSA-202407-25
- RHSA-2024:2055
- RHSA-2024:2084
- RHSA-2024:2098
- RHSA-2024:2548
- RHSA-2024:3254
- RLSA-2024:2548
- SUSE-SU-2024:1058-1
- SUSE-SU-2024:1059-1
- SUSE-SU-2024:1142-1
- SUSE-SU-2024:1143-1
- SUSE-SU-2024:1144-1
- SUSE-SU-2024:1145-1
- SUSE-SU-2024:1146-1
- SUSE-SU-2024:3120-1
- SUSE-SU-2024:3151-1
- SUSE-SU-2024:3186-1
Source | # ID | Name | URL |
---|---|---|---|
Security Advisory | https://github.com/advisories/GHSA-pmf3-c36m-g5cf |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Fixed | pkg:golang/github.com/containers/buildah/internal/volumes | github.com/containers/buildah/internal | volumes | = 1.35.1 | |||
Affected | pkg:golang/github.com/containers/buildah/internal/volumes | github.com/containers/buildah/internal | volumes | >= 1.35.0 < 1.35.1 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |