Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS12bWhqLXA5aHctdmdyZs4AAjjP

Podman has Files or Directories Accessible to External Parties

A flaw was discovered in Podman where it incorrectly allows containers when created to overwrite existing files in volumes, even if they are mounted as read-only. When a user runs a malicious container or a container based on a malicious image with an attached volume that is used for the first time, it is possible to trigger the flaw and overwrite files in the volume. This issue was introduced in version 1.6.0.

Permalink: https://github.com/advisories/GHSA-vmhj-p9hw-vgrf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12bWhqLXA5aHctdmdyZs4AAjjP
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: over 1 year ago

CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Identifiers: GHSA-vmhj-p9hw-vgrf, CVE-2020-1726
References:

• https://nvd.nist.gov/vuln/detail/CVE-2020-1726
• https://access.redhat.com/errata/RHSA-2020:0680
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1726
• http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00097.html
• http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00103.html
• https://access.redhat.com/errata/RHSA-2020:1650
• https://access.redhat.com/security/cve/CVE-2020-1726
• https://bugzilla.redhat.com/show_bug.cgi?id=1801152
• https://github.com/containers/podman/commit/c140ecdc9b416ab4efd4d21d14acd63b6adbdd42
• https://github.com/advisories/GHSA-vmhj-p9hw-vgrf

Repository: https://github.com/containers/podman
Blast Radius: 6.4

Affected Packages