| { |
| "schema_version": "1.3.1", |
| "id": "GO-2024-2658", |
| "modified": "0001-01-01T00:00:00Z", |
| "published": "0001-01-01T00:00:00Z", |
| "aliases": [ |
| "CVE-2024-1753", |
| "GHSA-pmf3-c36m-g5cf" |
| ], |
| "related": [ |
| "GHSA-874v-pj72-92f3" |
| ], |
| "summary": "Container escape at build time in github.com/containers/buildah", |
| "details": "A crafted container file can use a dummy image with a symbolic link to the host filesystem as a mount source and cause the mount operation to mount the host filesystem during a build-time RUN step. The commands inside the RUN step will then have read-write access to the host filesystem.", |
| "affected": [ |
| { |
| "package": { |
| "name": "github.com/containers/buildah", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "1.35.1" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "github.com/containers/buildah/internal/volumes", |
| "symbols": [ |
| "GetBindMount", |
| "GetVolumes" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "FIX", |
| "url": "https://github.com/containers/buildah/commit/9de9c20ff368beb84b84fe660773d352519dc1c5" |
| }, |
| { |
| "type": "REPORT", |
| "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265513" |
| } |
| ], |
| "credits": [ |
| { |
| "name": "@rmcnamara-snyk" |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2024-2658" |
| } |
| } |
