blob: 5561f799940bb93fc64048fc6f336e095af5cb46 [file] [log] [blame]
id: GO-2024-2658
modules:
- module: github.com/containers/buildah
versions:
- fixed: 1.35.1
vulnerable_at: 1.35.0
packages:
- package: github.com/containers/buildah/internal/volumes
symbols:
- GetBindMount
derived_symbols:
- GetVolumes
summary: Container escape at build time in github.com/containers/buildah
description: |-
A crafted container file can use a dummy image with a symbolic link to the host
filesystem as a mount source and cause the mount operation to mount the host
filesystem during a build-time RUN step. The commands inside the RUN step
will then have read-write access to the host filesystem.
cves:
- CVE-2024-1753
ghsas:
- GHSA-pmf3-c36m-g5cf
credits:
- '@rmcnamara-snyk'
references:
- fix: https://github.com/containers/buildah/commit/9de9c20ff368beb84b84fe660773d352519dc1c5
- report: https://bugzilla.redhat.com/show_bug.cgi?id=2265513