vulnerability
Rocky Linux: CVE-2024-1753: container-tools-rhel8 (Multiple Advisories)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:L/AC:L/Au:N/C:C/I:C/A:C) | 03/18/2024 | 05/08/2024 | 02/18/2025 |
Severity
7
CVSS
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
Published
03/18/2024
Added
05/08/2024
Modified
02/18/2025
Description
A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time.
Solution(s)
rocky-upgrade-aardvark-dnsrocky-upgrade-buildahrocky-upgrade-buildah-debuginforocky-upgrade-buildah-debugsourcerocky-upgrade-buildah-testsrocky-upgrade-buildah-tests-debuginforocky-upgrade-conmonrocky-upgrade-conmon-debuginforocky-upgrade-conmon-debugsourcerocky-upgrade-containernetworking-pluginsrocky-upgrade-containernetworking-plugins-debuginforocky-upgrade-containernetworking-plugins-debugsourcerocky-upgrade-containers-commonrocky-upgrade-critrocky-upgrade-criurocky-upgrade-criu-debuginforocky-upgrade-criu-debugsourcerocky-upgrade-criu-develrocky-upgrade-criu-libsrocky-upgrade-criu-libs-debuginforocky-upgrade-crunrocky-upgrade-crun-debuginforocky-upgrade-crun-debugsourcerocky-upgrade-fuse-overlayfsrocky-upgrade-fuse-overlayfs-debuginforocky-upgrade-fuse-overlayfs-debugsourcerocky-upgrade-libslirprocky-upgrade-libslirp-debuginforocky-upgrade-libslirp-debugsourcerocky-upgrade-libslirp-develrocky-upgrade-netavarkrocky-upgrade-oci-seccomp-bpf-hookrocky-upgrade-oci-seccomp-bpf-hook-debuginforocky-upgrade-oci-seccomp-bpf-hook-debugsourcerocky-upgrade-podmanrocky-upgrade-podman-catatonitrocky-upgrade-podman-catatonit-debuginforocky-upgrade-podman-debuginforocky-upgrade-podman-debugsourcerocky-upgrade-podman-gvproxyrocky-upgrade-podman-gvproxy-debuginforocky-upgrade-podman-pluginsrocky-upgrade-podman-plugins-debuginforocky-upgrade-podman-remoterocky-upgrade-podman-remote-debuginforocky-upgrade-podman-testsrocky-upgrade-python3-criurocky-upgrade-runcrocky-upgrade-runc-debuginforocky-upgrade-runc-debugsourcerocky-upgrade-skopeorocky-upgrade-skopeo-debuginforocky-upgrade-skopeo-debugsourcerocky-upgrade-skopeo-testsrocky-upgrade-slirp4netnsrocky-upgrade-slirp4netns-debuginforocky-upgrade-slirp4netns-debugsourcerocky-upgrade-toolboxrocky-upgrade-toolbox-debuginforocky-upgrade-toolbox-debugsourcerocky-upgrade-toolbox-tests
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.