Fluid Attacks Database

Description

Path Traversal in Buildah A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user's system anywhere that the user has permissions.

Specific Go Packages Affected

github.com/containers/buildah/imagebuildah

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/containers/buildah	>=0 <1.14.4	1.14.4
debian 12	golang-github-containers-buildah	>=0 <1.11.6-2	1.11.6-2
debian 11	golang-github-containers-buildah	>=0 <1.11.6-2	1.11.6-2
debian 13	golang-github-containers-buildah	>=0 <1.11.6-2	1.11.6-2
go	github.com/containers/buildah/imagebuildah	>=0 <1.14.4	1.14.4
debian 14	golang-github-containers-buildah	>=0 <1.11.6-2	1.11.6-2

Aliases

1. CVE-2020-106962. NVD-2020-106963. OSV-2020-106964. OSV-DEBIAN-2020-106965. GHSA-fx8w-mjvm-hvpc6. GCVE-2020-106967. ACCESS-cve-2020-106968. SECURITY-TRACKER-CVE-2020-10696

References

1. https://github.com/containers/buildah/pull/22452. https://bugzilla.redhat.com/show_bug.cgi?id=18176513. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-106964. https://pkg.go.dev/vuln/GO-2022-0828