CVE-2024-1753

CVSS V2 None CVSS V3 None

Description

A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time.

Overview

CVE ID
CVE-2024-1753

Assigner
redhat

Vulnerability Status
PUBLISHED

Published Version
2024-03-18T14:23:44.213Z

Last Modified Date
2024-06-04T18:00:10.892Z

Weakness Enumerations

CWE	URL
CWE-269	http://cwe.mitre.org/data/definitions/269.html

References

Reference URL	Reference Tags
https://access.redhat.com/errata/RHSA-2024:2049	vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2055	vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2064	vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2066	vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2077	vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2084	vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2089	vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2090	vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2097	vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2098	vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2548	vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2645	vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2669	vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2672	vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2784	vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2877	vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:3254	vendor-advisory x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-1753	vdb-entry x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2265513	issue-tracking x_refsource_REDHAT
https://github.com/containers/buildah/security/advisories/GHSA-pmf3-c36m-g5cf
https://github.com/containers/podman/security/advisories/GHSA-874v-pj72-92f3
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FCRZVUDOFM5CPREQKBEU2VK2QK62PSBP/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYMVMQ7RWMDTSKQTBO734BE3WQPI2AJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVBSVZGVABPYIHK5HZM472NPGWMI7WXH/

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-1753
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1753

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 06:32:30				Added to TrackCVE