| id: GO-2024-2658 |
| modules: |
| - module: github.com/containers/buildah |
| versions: |
| - fixed: 1.35.1 |
| vulnerable_at: 1.35.0 |
| packages: |
| - package: github.com/containers/buildah/internal/volumes |
| symbols: |
| - GetBindMount |
| derived_symbols: |
| - GetVolumes |
| summary: Container escape at build time in github.com/containers/buildah |
| description: |- |
| A crafted container file can use a dummy image with a symbolic link to the host |
| filesystem as a mount source and cause the mount operation to mount the host |
| filesystem during a build-time RUN step. The commands inside the RUN step |
| will then have read-write access to the host filesystem. |
| cves: |
| - CVE-2024-1753 |
| ghsas: |
| - GHSA-pmf3-c36m-g5cf |
| related: |
| - GHSA-874v-pj72-92f3 |
| credits: |
| - '@rmcnamara-snyk' |
| references: |
| - fix: https://github.com/containers/buildah/commit/9de9c20ff368beb84b84fe660773d352519dc1c5 |
| - report: https://bugzilla.redhat.com/show_bug.cgi?id=2265513 |
| notes: |
| - | |
| GHSA-874v-pj72-92f3 is a DEPENDENT_VULNERABILITY |
| of this report, but the GHSA database considers it an |
| alias of CVE-2024-1753. Adding the GHSA as "related" |
| prevents our tooling from adding it to the aliases field. |
