CVE-2024-1753

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-1753
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-1753.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-1753
Aliases
Related
Published
2024-03-18T15:15:41Z
Modified
2024-09-16T20:50:11.254065Z
Summary
[none]
Details

A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time.

References

Affected packages

Debian:11 / golang-github-containers-buildah

Package

Name
golang-github-containers-buildah
Purl
pkg:deb/debian/golang-github-containers-buildah?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.19.6+dfsg1-1
1.20.0+ds1-1
1.20.1+ds1-1
1.20.1+ds1-2
1.21.0+ds1-2
1.21.3+ds1-1
1.22.3+ds1-1
1.22.3+ds1-2
1.23.1+ds1-1
1.23.1+ds1-2
1.23.1+ds1-3
1.24.1+ds1-1
1.26.1+ds1-1
1.27.0+ds1-2
1.27.0+ds1-3
1.27.0+ds1-4
1.27.0+ds1-5
1.27.0+ds1-6
1.28.0+ds1-1
1.28.0+ds1-2
1.28.0+ds1-3
1.28.2+ds1-1
1.28.2+ds1-2
1.28.2+ds1-3
1.29.0+ds1-1
1.30.0+ds1-1
1.30.0+ds1-2
1.30.0+ds1-3
1.31.2+ds1-1
1.31.2+ds1-2
1.31.2+ds1-3
1.32.0+ds1-1
1.32.0+ds1-2
1.32.2+ds1-1
1.33.1+ds1-1
1.33.1+ds1-2
1.33.3+ds1-1
1.33.3+ds1-2
1.33.5+ds1-3
1.33.5+ds1-4
1.33.7+ds1-1
1.34.0+ds1-1
1.34.0+ds1-2
1.35.3+ds1-1
1.35.3+ds1-2
1.35.3+ds1-3
1.37.0+ds1-1
1.37.1+ds1-1
1.37.1+ds1-2
1.37.2+ds1-1
1.37.2+ds1-2
1.37.2+ds1-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / golang-github-containers-buildah

Package

Name
golang-github-containers-buildah
Purl
pkg:deb/debian/golang-github-containers-buildah?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.28.2+ds1-3
1.29.0+ds1-1
1.30.0+ds1-1
1.30.0+ds1-2
1.30.0+ds1-3
1.31.2+ds1-1
1.31.2+ds1-2
1.31.2+ds1-3
1.32.0+ds1-1
1.32.0+ds1-2
1.32.2+ds1-1
1.33.1+ds1-1
1.33.1+ds1-2
1.33.3+ds1-1
1.33.3+ds1-2
1.33.5+ds1-3
1.33.5+ds1-4
1.33.7+ds1-1
1.34.0+ds1-1
1.34.0+ds1-2
1.35.3+ds1-1
1.35.3+ds1-2
1.35.3+ds1-3
1.37.0+ds1-1
1.37.1+ds1-1
1.37.1+ds1-2
1.37.2+ds1-1
1.37.2+ds1-2
1.37.2+ds1-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / golang-github-containers-buildah

Package

Name
golang-github-containers-buildah
Purl
pkg:deb/debian/golang-github-containers-buildah?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.33.7+ds1-1

Affected versions

1.*

1.28.2+ds1-3
1.29.0+ds1-1
1.30.0+ds1-1
1.30.0+ds1-2
1.30.0+ds1-3
1.31.2+ds1-1
1.31.2+ds1-2
1.31.2+ds1-3
1.32.0+ds1-1
1.32.0+ds1-2
1.32.2+ds1-1
1.33.1+ds1-1
1.33.1+ds1-2
1.33.3+ds1-1
1.33.3+ds1-2
1.33.5+ds1-3
1.33.5+ds1-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}