Search for packages
| purl | pkg:deb/debian/libpod@0?distro=bullseye |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-3zm9-mtqp-5qdt | Podman Path Traversal Vulnerability leads to arbitrary file read/write A path traversal vulnerability has been discovered in podman before version 1.4.0 in the way it handles symlinks inside containers. An attacker who has compromised an existing container can cause arbitrary files on the host filesystem to be read/written when an administrator tries to copy a file from/to the container. |
CVE-2019-10152
GHSA-rh5f-2w6r-q7vj |
| VCID-75hs-t8bs-23e9 | Podman Symlink Vulnerability An issue was discovered in Podman in libpod before 1.6.0. It resolves a symlink in the host context during a copy operation from the container to the host, because an undesired glob operation occurs. An attacker could create a container image containing particular symlinks that, when copied by a victim user to the host filesystem, may overwrite existing files with others from the host. |
CVE-2019-18466
GHSA-r34v-gqmw-qvgj |
| VCID-artb-94uw-33c5 | Podman Elevated Container Privileges It has been discovered that podman before version 0.6.1 does not drop capabilities when executing a container as a non-root user. This results in unnecessary privileges being granted to the container. |
CVE-2018-10856
GHSA-wp7w-vx86-vj9h |
| VCID-gzfd-vguv-dqa1 | Podman Time-of-check Time-of-use (TOCTOU) Race Condition A Time-of-check Time-of-use (TOCTOU) flaw was found in podman. This issue may allow a malicious user to replace a normal file in a volume with a symlink while exporting the volume, allowing for access to arbitrary files on the host file system. |
CVE-2023-0778
GHSA-qwqv-rqgf-8qh8 |
| VCID-mzjw-b6mh-nugs | Exposure of Sensitive Information to an Unauthorized Actor and Origin Validation Error in podman A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host's services by forwarding all ports to the VM. |
CVE-2021-4024
GHSA-3cf2-x423-x582 |
| VCID-tuub-p4f4-nqer | Podman Improper Certificate Validation; machine missing TLS verification ### Impact The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry (which it does by default since 5.0.0) allowing a possible Man In The Middle attack. ### Patches https://github.com/containers/podman/commit/726b506acc8a00d99f1a3a1357ecf619a1f798c3 Fixed in v5.5.2 ### Workarounds Download the disk image manually via some other tool that verifies the TLS connection. Then pass the local image as file path (podman machine init --image ./somepath) |
CVE-2025-6032
GHSA-65gg-3w2w-hr4h |