Vulnerability Report: GO-2024-2658

CVE-2024-1753, GHSA-pmf3-c36m-g5cf
Affects: github.com/containers/buildah
Published: Mar 22, 2024
Modified: May 20, 2024

A crafted container file can use a dummy image with a symbolic link to the host filesystem as a mount source and cause the mount operation to mount the host filesystem during a build-time RUN step. The commands inside the RUN step will then have read-write access to the host filesystem.

Affected Packages

Path

Go Versions

Symbols
github.com/containers/buildah/internal/volumes

before v1.35.1
- GetBindMount
- GetVolumes

Aliases

CVE-2024-1753
GHSA-pmf3-c36m-g5cf

References

https://github.com/containers/buildah/commit/9de9c20ff368beb84b84fe660773d352519dc1c5
https://bugzilla.redhat.com/show_bug.cgi?id=2265513
https://vuln.go.dev/ID/GO-2024-2658.json

Credits

@rmcnamara-snyk

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL