Bug 2317458 (CVE-2024-9675)
| Summary: | CVE-2024-9675 buildah: Buildah allows arbitrary directory mount | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | bdettelb, doconnor, lsm5, teagle, tsweeney |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2317459, 2317460, 2317461, 2317462, 2317463, 2317464, 2317465, 2317466 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2024-10-09 02:49:15 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:8563 https://access.redhat.com/errata/RHSA-2024:8563 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:8675 https://access.redhat.com/errata/RHSA-2024:8675 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:8679 https://access.redhat.com/errata/RHSA-2024:8679 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:8703 https://access.redhat.com/errata/RHSA-2024:8703 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:8708 https://access.redhat.com/errata/RHSA-2024:8708 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:8707 https://access.redhat.com/errata/RHSA-2024:8707 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:8709 https://access.redhat.com/errata/RHSA-2024:8709 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:8846 https://access.redhat.com/errata/RHSA-2024:8846 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2024:8686 https://access.redhat.com/errata/RHSA-2024:8686 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2024:8690 https://access.redhat.com/errata/RHSA-2024:8690 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:8700 https://access.redhat.com/errata/RHSA-2024:8700 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:9051 https://access.redhat.com/errata/RHSA-2024:9051 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:9454 https://access.redhat.com/errata/RHSA-2024:9454 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:9459 https://access.redhat.com/errata/RHSA-2024:9459 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.17 Via RHSA-2024:8984 https://access.redhat.com/errata/RHSA-2024:8984 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2024:8994 https://access.redhat.com/errata/RHSA-2024:8994 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.18 Via RHSA-2025:2449 https://access.redhat.com/errata/RHSA-2025:2449 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.17 Via RHSA-2025:2445 https://access.redhat.com/errata/RHSA-2025:2445 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2025:2454 https://access.redhat.com/errata/RHSA-2025:2454 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2025:2710 https://access.redhat.com/errata/RHSA-2025:2710 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2025:2701 https://access.redhat.com/errata/RHSA-2025:2701 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2025:3301 https://access.redhat.com/errata/RHSA-2025:3301 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2025:3573 https://access.redhat.com/errata/RHSA-2025:3573 |