GHSA-c3g4-w6cv-6v7h

Source

https://github.com/advisories/GHSA-c3g4-w6cv-6v7h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-c3g4-w6cv-6v7h/GHSA-c3g4-w6cv-6v7h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c3g4-w6cv-6v7h

Aliases

Related

CGA-gpr2-42c3-43rf

Published

2022-04-01T13:56:42Z

Modified

2023-11-01T05:44:47.674464Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Non-empty default inheritable capabilities for linux container in Buildah

Details

A bug was found in Buildah where containers were created with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2).

This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set.

References

Affected packages

Go / github.com/containers/buildah

Package

Name: github.com/containers/buildah; View open source insights on deps.dev
Purl: pkg:golang/github.com/containers/buildah

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.25.0