VulnerableCode Package Details - pkg:rpm/redhat/buildah@2:1.37.5-1?arch=el9

Search for packages

Vulnerability	Summary	Fixed by
VCID-e14a-39np-13bx Aliases: CVE-2024-9407 GHSA-fhqq-8f65-5xfc	Improper Input Validation in Buildah and Podman A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.	There are no reported fixed by versions.
VCID-hfxt-nnd8-dfc8 Aliases: CVE-2024-34156	encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion	There are no reported fixed by versions.
VCID-hs7s-yxfz-mbf1 Aliases: CVE-2024-34155	go/parser: golang: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion	There are no reported fixed by versions.
VCID-j9nr-4d4t-j3e1 Aliases: CVE-2024-9675 GHSA-586p-749j-fhwp	Buildah allows arbitrary directory mount A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.	There are no reported fixed by versions.
VCID-p3we-3y2n-vugu Aliases: CVE-2024-9341 GHSA-mc76-5925-c5p6	Link Following in github.com/containers/common A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.	There are no reported fixed by versions.
VCID-rdqf-wp1t-j7b5 Aliases: CVE-2024-34158	go/build/constraint: golang: Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion	There are no reported fixed by versions.
VCID-zcxt-ccb2-eufc Aliases: CVE-2024-9676	Podman: Buildah: CRI-O: symlink traversal vulnerability in the containers/storage library can cause Denial of Service (DoS)	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-e14a-39np-13bx
Aliases:
CVE-2024-9407
GHSA-fhqq-8f65-5xfc

Improper Input Validation in Buildah and Podman A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.