blob: 5b5593956dbea90b937abcaf1a60ed70bd6f3bf2 [file] [log] [blame]
id: GO-2024-2658
modules:
- module: github.com/containers/buildah
versions:
- fixed: 1.35.1
vulnerable_at: 1.35.0
packages:
- package: github.com/containers/buildah/internal/volumes
symbols:
- GetBindMount
derived_symbols:
- GetVolumes
summary: Container escape at build time in github.com/containers/buildah
description: |-
A crafted container file can use a dummy image with a symbolic link to the host
filesystem as a mount source and cause the mount operation to mount the host
filesystem during a build-time RUN step. The commands inside the RUN step
will then have read-write access to the host filesystem.
cves:
- CVE-2024-1753
ghsas:
- GHSA-pmf3-c36m-g5cf
related:
- GHSA-874v-pj72-92f3
credits:
- '@rmcnamara-snyk'
references:
- fix: https://github.com/containers/buildah/commit/9de9c20ff368beb84b84fe660773d352519dc1c5
- report: https://bugzilla.redhat.com/show_bug.cgi?id=2265513
notes:
- |
GHSA-874v-pj72-92f3 is a DEPENDENT_VULNERABILITY
of this report, but the GHSA database considers it an
alias of CVE-2024-1753. Adding the GHSA as "related"
prevents our tooling from adding it to the aliases field.
review_status: REVIEWED