Paul Holzinger

Name of the Vulnerable Software and Affected Versions: Podman (affected versions not specified) Description: A flaw was found in Podman where the podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry, resulting in a potential Man In The Middle attack. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** podman versions 4.0.0 through 5.6.1 **Description** A vulnerability exists in podman where an attacker can use the `kube play` command to overwrite host files. This occurs when the kube file contains a Secret or a ConfigMap volume mount, and that volume contains a symbolic link to a host file path. In a successful attack, the attacker can control the target file to be overwritten but not the content written into the file. **Recommendations** Update podman to version 5.6.1 or later.

**Name of the Vulnerable Software and Affected Versions** containers/common versions (affected versions not specified) **Description** The issue is related to a flaw in the containers/common Go library, which incorrectly handles certain file paths when FIPS mode is enabled on a system. This allows an attacker to exploit symbolic links, tricking the system into mounting sensitive host directories inside a container and accessing critical host files, thus bypassing the intended isolation between containers and the host system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.