Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZ4OHctbWp2bS1odnBj

High EPSS: 0.00873% (0.74559 Percentile) EPSS:
Permalink JSON

Path Traversal in Buildah

Affected Packages Affected Versions Fixed Versions
go:github.com/containers/buildah
PURL: pkg:go/github.com%2Fcontainers%2Fbuildah
< 1.14.4 1.14.4
260 Dependent packages
321 Dependent repositories

Affected Version Ranges

All affected versions

v0.16.0, v1.7.1, v1.7.2, v1.7.3, v1.8.0, v1.8.1, v1.8.2, v1.8.3, v1.8.4, v1.9.0, v1.9.1, v1.9.2, v1.10.0, v1.10.1, v1.11.0, v1.11.1, v1.11.2, v1.11.3, v1.11.4, v1.11.5, v1.11.6, v1.11.7, v1.12.0, v1.13.0, v1.13.1, v1.13.2, v1.14.0, v1.14.1, v1.14.2, v1.14.3

All unaffected versions

v1.14.4, v1.14.5, v1.14.6, v1.14.7, v1.14.8, v1.14.9, v1.14.10, v1.14.11, v1.15.0, v1.15.1, v1.15.2, v1.16.0, v1.16.1, v1.16.2, v1.16.3, v1.16.4, v1.16.5, v1.16.6, v1.16.7, v1.16.8, v1.17.0, v1.17.1, v1.17.2, v1.18.0, v1.19.0, v1.19.1, v1.19.2, v1.19.3, v1.19.4, v1.19.6, v1.19.7, v1.19.8, v1.19.9, v1.19.10, v1.19.11, v1.20.0, v1.20.1, v1.20.2, v1.21.0, v1.21.1, v1.21.2, v1.21.3, v1.21.4, v1.21.5, v1.22.0, v1.22.1, v1.22.2, v1.22.3, v1.22.4, v1.22.5, v1.23.0, v1.23.1, v1.23.2, v1.23.3, v1.23.4, v1.23.5, v1.24.0, v1.24.1, v1.24.2, v1.24.3, v1.24.4, v1.24.5, v1.24.6, v1.24.7, v1.25.0, v1.25.1, v1.26.0, v1.26.1, v1.26.2, v1.26.3, v1.26.4, v1.26.5, v1.26.6, v1.26.7, v1.27.0, v1.27.1, v1.27.2, v1.27.3, v1.27.4, v1.28.0, v1.28.1, v1.28.2, v1.29.0, v1.29.1, v1.29.2, v1.29.3, v1.29.4, v1.30.0, v1.31.0, v1.31.1, v1.31.2, v1.31.3, v1.31.4, v1.31.5, v1.32.0, v1.32.1, v1.32.2, v1.32.3, v1.33.0, v1.33.1, v1.33.2, v1.33.3, v1.33.4, v1.33.5, v1.33.6, v1.33.7, v1.33.8, v1.33.10, v1.34.0, v1.34.1, v1.34.2, v1.34.3, v1.35.0, v1.35.1, v1.35.2, v1.35.3, v1.35.4, v1.36.0, v1.37.0, v1.37.1, v1.37.2, v1.37.3, v1.37.4, v1.37.5

A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user's system anywhere that the user has permissions.

Specific Go Packages Affected

github.com/containers/buildah/imagebuildah

References:

Identifiers

GHSA-fx8w-mjvm-hvpc

CVE-2020-10696

Risk

Severity

High

EPSS

EPSS Percentage: 0.00873

EPSS Percentile: 0.74559

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/containers/buildah

Date and time

Published

over 4 years ago

Updated

11 months ago

API

JSON