CVE-2024-9407

Name of the Vulnerable Software and Affected Versions Docker (affected versions not specified) Podman (affected versions not specified) Buildah (affected versions not specified)

Description A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction, where the system does not properly validate the input passed to this option. This allows users to pass arbitrary parameters to the mount instruction, potentially mounting sensitive directories from the host into a container during the build process and modifying the contents of those mounted files. The issue can bypass SELinux protection by relabeling the source directory to give the container access to host files.

Recommendations For Docker, consider disabling the bind-propagation option in the Dockerfile RUN --mount instruction until a patch is available. For Podman, restrict access to the --mount instruction to minimize the risk of exploitation. For Buildah, avoid using the --mount option with arbitrary parameters until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.