UBUNTU-CVE-2024-1753
See a problem?- Source
- https://ubuntu.com/security/notices/UBUNTU-CVE-2024-1753
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-1753.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2024-1753
- Related
- Published
- 2024-03-18T15:15:00Z
- Modified
- 2024-03-18T15:15:00Z
- Summary
- [none]
- Details
-
A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time.
- References
-
- https://ubuntu.com/security/CVE-2024-1753
- https://github.com/containers/buildah/security/advisories/GHSA-pmf3-c36m-g5cf
- https://access.redhat.com/security/cve/CVE-2024-1753
- https://bugzilla.redhat.com/show_bug.cgi?id=2265513
- https://github.com/containers/podman/security/advisories/GHSA-874v-pj72-92f3
- https://www.cve.org/CVERecord?id=CVE-2024-1753
Affected packages
Ubuntu:22.04:LTS / golang-github-containers-buildah
Package
- Name
- golang-github-containers-buildah
Ubuntu:24.04:LTS / golang-github-containers-buildah
Package
- Name
- golang-github-containers-buildah
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected