PT-2020-2769 · Red Hat+5 · Buildah+6
Published
2020-03-31
·
Updated
2024-12-18
·
CVE-2020-10696
CVSS v2.0
10
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Buildah versions prior to 1.14.5
Description
A path traversal flaw was found in Buildah. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user's system anywhere that the user has permissions. The issue exists due to incorrect restriction of the path name to a directory with limited access, which can be exploited by a remote attacker to create a malicious container image and replace arbitrary files in the user's system.
Recommendations
For versions prior to 1.14.5, update to version 1.14.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of Buildah to minimize the risk of exploitation. Avoid using Buildah to build container images from untrusted sources until the issue is resolved.
Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Buildah
Centos
Red Hat
Rocky Linux
Suse