vulnerability
Red Hat OpenShift: CVE-2024-1753: buildah: full container escape at build time
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:L/AC:L/Au:N/C:C/I:C/A:C) | 03/18/2024 | 05/09/2024 | 02/18/2025 |
Severity
7
CVSS
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
Published
03/18/2024
Added
05/09/2024
Modified
02/18/2025
Description
A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time.
Solution
linuxrpm-upgrade-podman
References
- CVE-2024-1753
- https://attackerkb.com/topics/CVE-2024-1753
- REDHAT-RHSA-2024:2049
- REDHAT-RHSA-2024:2055
- REDHAT-RHSA-2024:2064
- REDHAT-RHSA-2024:2066
- REDHAT-RHSA-2024:2077
- REDHAT-RHSA-2024:2084
- REDHAT-RHSA-2024:2089
- REDHAT-RHSA-2024:2090
- REDHAT-RHSA-2024:2097
- REDHAT-RHSA-2024:2098
- REDHAT-RHSA-2024:2548
- REDHAT-RHSA-2024:2645
- REDHAT-RHSA-2024:2669
- REDHAT-RHSA-2024:2672
- REDHAT-RHSA-2024:2784
- REDHAT-RHSA-2024:2877
- REDHAT-RHSA-2024:3254
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.