x/vulndb: potential Go vuln in github.com/containers/buildah: GHSA-586p-749j-fhwp #3186

GoVulnBot · 2024-10-09T20:01:24Z

Advisory GHSA-586p-749j-fhwp references a vulnerability in the following Go modules:

Module
github.com/containers/buildah

Description:
A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a RUN instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.

References:

ADVISORY: GHSA-586p-749j-fhwp
ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-9675
WEB: https://access.redhat.com/security/cve/CVE-2024-9675
WEB: https://bugzilla.redhat.com/show_bug.cgi?id=2317458

Cross references:

github.com/containers/buildah appears in 5 other report(s):
- data/reports/GO-2022-0345.yaml (x/vulndb: potential Go vuln in github.com/containers/buildah: CVE-2021-3602 #345)
- data/reports/GO-2022-0417.yaml (x/vulndb: potential Go vuln in github.com/containers/buildah: CVE-2022-27651 #417)
- data/reports/GO-2022-0828.yaml (x/vulndb: potential Go vuln in github.com/containers/buildah/imagebuildah: GHSA-fx8w-mjvm-hvpc #828)
- data/reports/GO-2022-1008.yaml (x/vulndb: potential Go vuln in github.com/containers/buildah: CVE-2022-2990, GHSA-fjm8-m7m6-2fjp #1008)
- data/reports/GO-2024-2658.yaml (x/vulndb: potential Go vuln in github.com/containers/buildah: GHSA-pmf3-c36m-g5cf #2658)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/containers/buildah
      vulnerable_at: 1.37.4
summary: Buildah allows arbitrary directory mount in github.com/containers/buildah
cves:
    - CVE-2024-9675
ghsas:
    - GHSA-586p-749j-fhwp
references:
    - advisory: https://github.com/advisories/GHSA-586p-749j-fhwp
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9675
    - web: https://access.redhat.com/security/cve/CVE-2024-9675
    - web: https://bugzilla.redhat.com/show_bug.cgi?id=2317458
source:
    id: GHSA-586p-749j-fhwp
    created: 2024-10-09T20:01:24.565663051Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2024-10-11T14:18:23Z

Change https://go.dev/cl/619696 mentions this issue: data/reports: add 6 reports

gopherbot · 2024-12-11T20:57:45Z

Change https://go.dev/cl/635417 mentions this issue: data/reports: review GO-2024-3186

maceonthompson self-assigned this Oct 11, 2024

gopherbot closed this as completed in 4b21264 Oct 11, 2024

tatianab self-assigned this Dec 11, 2024

tatianab reopened this Dec 11, 2024

tatianab added the high priority label Dec 11, 2024

gopherbot closed this as completed in 9f0fe4d Dec 12, 2024

GoVulnBot mentioned this issue Jan 21, 2025

x/vulndb: potential Go vuln in github.com/containers/buildah: GHSA-5vpc-35f4-r8w6 #3414

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/containers/buildah: GHSA-586p-749j-fhwp #3186

x/vulndb: potential Go vuln in github.com/containers/buildah: GHSA-586p-749j-fhwp #3186

GoVulnBot commented Oct 9, 2024

gopherbot commented Oct 11, 2024

gopherbot commented Dec 11, 2024

x/vulndb: potential Go vuln in github.com/containers/buildah: GHSA-586p-749j-fhwp #3186

x/vulndb: potential Go vuln in github.com/containers/buildah: GHSA-586p-749j-fhwp #3186

Comments

GoVulnBot commented Oct 9, 2024

gopherbot commented Oct 11, 2024

gopherbot commented Dec 11, 2024