Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1maHFxLThmNjUtNXhmY84AA_6C
Improper Input Validation in Buildah and Podman
A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.
Permalink: https://github.com/advisories/GHSA-fhqq-8f65-5xfcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1maHFxLThmNjUtNXhmY84AA_6C
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 months ago
Updated: 9 days ago
CVSS Score: 4.7
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N
Identifiers: GHSA-fhqq-8f65-5xfc, CVE-2024-9407
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-9407
- https://access.redhat.com/security/cve/CVE-2024-9407
- https://bugzilla.redhat.com/show_bug.cgi?id=2315887
- https://github.com/containers/podman/releases/tag/v5.2.4
- https://github.com/containers/buildah/commit/e4e2ad5ca2088d7c388109394135ead7aaf1f4f4
- https://pkg.go.dev/vuln/GO-2024-3169
- https://access.redhat.com/errata/RHSA-2024:8846
- https://access.redhat.com/errata/RHSA-2024:9051
- https://access.redhat.com/errata/RHSA-2024:9454
- https://access.redhat.com/errata/RHSA-2024:9459
- https://github.com/advisories/GHSA-fhqq-8f65-5xfc
Blast Radius: 11.8
Affected Packages
go:github.com/containers/podman/v4
Dependent packages: 80Dependent repositories: 80
Downloads:
Affected Version Ranges: <= 5.2.3
Fixed in: 5.2.4
All affected versions: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.5.0, 4.5.1, 4.6.0, 4.6.1, 4.6.2, 4.7.0, 4.7.1, 4.7.2, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5
All unaffected versions:
go:github.com/containers/podman/v3
Dependent packages: 151Dependent repositories: 53
Downloads:
Affected Version Ranges: <= 5.2.3
Fixed in: 5.2.4
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.3.0, 3.3.1, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7
All unaffected versions:
go:github.com/containers/podman/v2
Dependent packages: 19Dependent repositories: 12
Downloads:
Affected Version Ranges: <= 5.2.3
Fixed in: 5.2.4
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 2.2.0, 2.2.1
All unaffected versions:
go:github.com/containers/podman
Dependent packages: 0Dependent repositories: 2
Downloads:
Affected Version Ranges: <= 5.2.3
Fixed in: 5.2.4
All affected versions: 0.2.1, 0.2.2, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.9.1, 0.9.2, 0.9.3, 0.10.1, 0.11.1, 0.12.1, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.9.0, 1.9.1, 1.9.2, 1.9.3
All unaffected versions:
go:github.com/containers/podman/v5
Dependent packages: 7Dependent repositories: 0
Downloads:
Affected Version Ranges: <= 5.2.3
Fixed in: 5.2.4
All affected versions: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.2.2, 5.2.3
All unaffected versions: 5.2.4, 5.2.5
go:github.com/containers/buildah
Dependent packages: 260Dependent repositories: 321
Downloads:
Affected Version Ranges: <= 1.37.3
Fixed in: 1.37.4
All affected versions: 0.16.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.10.1, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.11.5, 1.11.6, 1.11.7, 1.12.0, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.14.4, 1.14.5, 1.14.6, 1.14.7, 1.14.8, 1.14.9, 1.14.10, 1.14.11, 1.15.0, 1.15.1, 1.15.2, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.16.4, 1.16.5, 1.16.6, 1.16.7, 1.16.8, 1.17.0, 1.17.1, 1.17.2, 1.18.0, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.19.4, 1.19.6, 1.19.7, 1.19.8, 1.19.9, 1.19.10, 1.19.11, 1.20.0, 1.20.1, 1.20.2, 1.21.0, 1.21.1, 1.21.2, 1.21.3, 1.21.4, 1.21.5, 1.22.0, 1.22.1, 1.22.2, 1.22.3, 1.22.4, 1.22.5, 1.23.0, 1.23.1, 1.23.2, 1.23.3, 1.23.4, 1.23.5, 1.24.0, 1.24.1, 1.24.2, 1.24.3, 1.24.4, 1.24.5, 1.24.6, 1.24.7, 1.25.0, 1.25.1, 1.26.0, 1.26.1, 1.26.2, 1.26.3, 1.26.4, 1.26.5, 1.26.6, 1.26.7, 1.27.0, 1.27.1, 1.27.2, 1.27.3, 1.27.4, 1.28.0, 1.28.1, 1.28.2, 1.29.0, 1.29.1, 1.29.2, 1.29.3, 1.29.4, 1.30.0, 1.31.0, 1.31.1, 1.31.2, 1.31.3, 1.31.4, 1.31.5, 1.32.0, 1.32.1, 1.32.2, 1.32.3, 1.33.0, 1.33.1, 1.33.2, 1.33.3, 1.33.4, 1.33.5, 1.33.6, 1.33.7, 1.33.8, 1.33.10, 1.34.0, 1.34.1, 1.34.2, 1.34.3, 1.35.0, 1.35.1, 1.35.2, 1.35.3, 1.35.4, 1.36.0, 1.37.0, 1.37.1, 1.37.2, 1.37.3
All unaffected versions: 1.37.4, 1.37.5