Vulnerability Report: GO-2023-1681

CVE-2023-0778, GHSA-qwqv-rqgf-8qh8
Affects: github.com/containers/podman/v4
Published: Apr 03, 2023
Modified: Jun 12, 2023

A Time-of-check Time-of-use (TOCTOU) flaw appears in this version of podman. This issue may allow a malicious user to replace a normal file in a volume with a symlink while exporting the volume, allowing for access to arbitrary files on the host file system.

For detailed information about this vulnerability, visit https://github.com/advisories/GHSA-qwqv-rqgf-8qh8.

Affected Packages

Path

Versions

Symbols
github.com/containers/podman/v4/utils

before v4.4.2
- CreateTarFromSrc

Aliases

CVE-2023-0778
GHSA-qwqv-rqgf-8qh8

References

https://bugzilla.redhat.com/show_bug.cgi?id=2168256
https://github.com/containers/podman/pull/17528
https://github.com/containers/podman/pull/17532
https://github.com/containers/podman/commit/6ca857feb07a5fdc96fd947afef03916291673d8
https://github.com/advisories/GHSA-qwqv-rqgf-8qh8
https://vuln.go.dev/ID/GO-2023-1681.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL