Fluid Attacks Database

Description

Buildah allows arbitrary directory mount A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a RUN instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	golang-github-containers-buildah	>=0 <1.37.4+ds1-1	1.37.4+ds1-1
debian 12	golang-github-containers-buildah	=1.28.2+ds1-3 \|\| =1.28.2+ds1-3+deb12u1 \|\| =1.29.0+ds1-1 \|\| =1.30.0+ds1-1 \|\| =1.30.0+ds1-2 \|\| =1.30.0+ds1-3 \|\| =1.31.2+ds1-1 \|\| =1.31.2+ds1-2 \|\| =1.31.2+ds1-3 \|\| =1.32.0+ds1-1 \|\| =1.32.0+ds1-2 \|\| =1.32.2+ds1-1 \|\| =1.33.1+ds1-1 \|\| =1.33.1+ds1-2 \|\| =1.33.3+ds1-1 \|\| =1.33.3+ds1-2 \|\| =1.33.5+ds1-3 \|\| =1.33.5+ds1-4 \|\| =1.33.7+ds1-1 \|\| =1.34.0+ds1-1 \|\| =1.34.0+ds1-2 \|\| =1.35.3+ds1-1 \|\| =1.35.3+ds1-2 \|\| =1.35.3+ds1-3 \|\| =1.37.0+ds1-1 \|\| =1.37.1+ds1-1 \|\| =1.37.1+ds1-2 \|\| =1.37.2+ds1-1 \|\| =1.37.2+ds1-2 \|\| =1.37.2+ds1-3 \|\| =1.37.3+ds1-1 \|\| =1.37.3+ds1-2 \|\| =1.37.3+ds1-3 \|\| =1.37.4+ds1-1 \|\| =1.37.5+ds1-1 \|\| =1.38.0+ds1-1 \|\| =1.38.0+ds1-2 \|\| =1.38.1+ds1-1 \|\| =1.39.0+ds1-1 \|\| =1.39.3+ds1-1 \|\| =1.41.4+ds1-1 \|\| =1.41.4+ds1-2 \|\| =1.41.4+ds1-3 \|\| =1.41.5+ds1-1 \|\| =1.41.5+ds1-2 \|\| =1.41.5+ds1-3 \|\| =1.41.5+ds1-4 \|\| =1.42.1+ds1-1 \|\| =1.42.1+ds1-2 \|\| =1.43.0+ds1-1 \|\| =1.43.0+ds1-2 \|\| =1.43.1+ds1-1	-
debian 11	golang-github-containers-buildah	=1.19.6+dfsg1-1 \|\| =1.20.0+ds1-1 \|\| =1.20.1+ds1-1 \|\| =1.20.1+ds1-2 \|\| =1.21.0+ds1-2 \|\| =1.21.3+ds1-1 \|\| =1.22.3+ds1-1 \|\| =1.22.3+ds1-2 \|\| =1.23.1+ds1-1 \|\| =1.23.1+ds1-2 \|\| =1.23.1+ds1-3 \|\| =1.24.1+ds1-1 \|\| =1.26.1+ds1-1 \|\| =1.27.0+ds1-2 \|\| =1.27.0+ds1-3 \|\| =1.27.0+ds1-4 \|\| =1.27.0+ds1-5 \|\| =1.27.0+ds1-6 \|\| =1.28.0+ds1-1 \|\| =1.28.0+ds1-2 \|\| =1.28.0+ds1-3 \|\| =1.28.2+ds1-1 \|\| =1.28.2+ds1-2 \|\| =1.28.2+ds1-3 \|\| =1.29.0+ds1-1 \|\| =1.30.0+ds1-1 \|\| =1.30.0+ds1-2 \|\| =1.30.0+ds1-3 \|\| =1.31.2+ds1-1 \|\| =1.31.2+ds1-2 \|\| =1.31.2+ds1-3 \|\| =1.32.0+ds1-1 \|\| =1.32.0+ds1-2 \|\| =1.32.2+ds1-1 \|\| =1.33.1+ds1-1 \|\| =1.33.1+ds1-2 \|\| =1.33.3+ds1-1 \|\| =1.33.3+ds1-2 \|\| =1.33.5+ds1-3 \|\| =1.33.5+ds1-4 \|\| =1.33.7+ds1-1 \|\| =1.34.0+ds1-1 \|\| =1.34.0+ds1-2 \|\| =1.35.3+ds1-1 \|\| =1.35.3+ds1-2 \|\| =1.35.3+ds1-3 \|\| =1.37.0+ds1-1 \|\| =1.37.1+ds1-1 \|\| =1.37.1+ds1-2 \|\| =1.37.2+ds1-1 \|\| =1.37.2+ds1-2 \|\| =1.37.2+ds1-3 \|\| =1.37.3+ds1-1 \|\| =1.37.3+ds1-2 \|\| =1.37.3+ds1-3 \|\| =1.37.4+ds1-1 \|\| =1.37.5+ds1-1 \|\| =1.38.0+ds1-1 \|\| =1.38.0+ds1-2 \|\| =1.38.1+ds1-1 \|\| =1.39.0+ds1-1 \|\| =1.39.3+ds1-1 \|\| =1.41.4+ds1-1 \|\| =1.41.4+ds1-2 \|\| =1.41.4+ds1-3 \|\| =1.41.5+ds1-1 \|\| =1.41.5+ds1-2 \|\| =1.41.5+ds1-3 \|\| =1.41.5+ds1-4 \|\| =1.42.1+ds1-1 \|\| =1.42.1+ds1-2 \|\| =1.43.0+ds1-1 \|\| =1.43.0+ds1-2 \|\| =1.43.1+ds1-1	-
debian 13	golang-github-containers-buildah	>=0 <1.37.4+ds1-1	1.37.4+ds1-1
go	github.com/containers/buildah	>=0 <1.38.0	1.38.0
rpm rhel9.0	buildah	<1:1.26.8-2.el9_0	1:1.26.8-2.el9_0
rpm rhel9.2	podman	<2:4.4.1-21.el9_2	2:4.4.1-21.el9_2
rpm rhel9	buildah	<2:1.33.10-1.el9_4 \|\| >=2:1.37.5, <2:1.37.5-1.el9_5	2:1.37.5-1.el9_5
rpm rhel9.2	buildah	<1:1.29.4-1.el9_2	1:1.29.4-1.el9_2
rpm rhel9.0	podman	<2:4.2.0-5.el9_0.2	2:4.2.0-5.el9_0.2

1-10 of 12

References

1. https://github.com/containers/buildah/commit/aa67e5d71ee7ec07122a210baa3b13966a9e086c2. https://pkg.go.dev/vuln/GO-2024-31863. https://bugzilla.redhat.com/show_bug.cgi?id=2317458

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.