High severityNVD Advisory· Published Mar 31, 2020· Updated Aug 4, 2024
CVE-2020-10696
CVE-2020-10696
Description
A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user's system anywhere that the user has permissions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/containers/buildahGo | < 1.14.4 | 1.14.4 |
Affected products
50- osv-coords49 versionspkg:apk/chainguard/buildahpkg:apk/wolfi/buildahpkg:golang/github.com/containers/buildahpkg:rpm/almalinux/cockpit-podmanpkg:rpm/almalinux/containernetworking-pluginspkg:rpm/almalinux/container-selinuxpkg:rpm/almalinux/critpkg:rpm/almalinux/criupkg:rpm/almalinux/fuse-overlayfspkg:rpm/almalinux/oci-systemd-hookpkg:rpm/almalinux/oci-umountpkg:rpm/almalinux/python3-criupkg:rpm/almalinux/python-podman-apipkg:rpm/almalinux/runcpkg:rpm/almalinux/slirp4netnspkg:rpm/almalinux/toolboxpkg:rpm/almalinux/udicapkg:rpm/opensuse/buildah&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/buildah&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/buildah&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/buildah&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/buildah&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/libcontainers-common&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/libgpg-error&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/libgpg-error&distro=openSUSE%20Leap%20Micro%205.2pkg:rpm/opensuse/podman&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/buildah&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/buildah&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/buildah&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/buildah&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/buildah&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/buildah&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/buildah&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP1pkg:rpm/suse/buildah&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP2pkg:rpm/suse/buildah&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP3pkg:rpm/suse/buildah&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP4pkg:rpm/suse/buildah&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/buildah&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/buildah&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/buildah&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/buildah&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/buildah&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/buildah&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/buildah&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/buildah&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/libgpg-error&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/libgpg-error&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/libgpg-error&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3
< 0+ 48 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.14.4
- (no CPE)range: < 11-1.module_el8.5.0+108+00865455
- (no CPE)range: < 0.8.3-4.module_el8.5.0+2635+e4386a39
- (no CPE)range: < 2:2.124.0-1.gitf958d0c.module_el8.3.0+2044+12421f43
- (no CPE)range: < 3.12-9.module_el8.3.0+2044+12421f43
- (no CPE)range: < 3.12-9.module_el8.4.0+2496+12421f43
- (no CPE)range: < 0.3-5.module_el8.3.0+2044+12421f43
- (no CPE)range: < 1:0.1.15-2.git2d0b8a3.module_el8.5.0+119+9a9ec082
- (no CPE)range: < 2:2.3.4-2.git87f9237.module_el8.5.0+119+9a9ec082
- (no CPE)range: < 3.12-9.module_el8.3.0+2044+12421f43
- (no CPE)range: < 1.2.0-0.2.gitd0a45fe.module_el8.5.0+2635+e4386a39
- (no CPE)range: < 1.0.0-56.rc5.dev.git2abd837.module_el8.3.0+2044+12421f43
- (no CPE)range: < 0.1-5.dev.gitc4e1bc5.module_el8.3.0+2044+12421f43
- (no CPE)range: < 0.0.7-1.module_el8.5.0+108+00865455
- (no CPE)range: < 0.2.1-2.module_el8.5.0+108+00865455
- (no CPE)range: < 1.17.0-lp151.2.6.1
- (no CPE)range: < 1.19.2-lp152.2.3.1
- (no CPE)range: < 1.27.1-150300.8.11.1
- (no CPE)range: < 1.27.1-150400.3.8.1
- (no CPE)range: < 1.23.0-1.1
- (no CPE)range: < 0.0.20241213T205935-1.1
- (no CPE)range: < 20210112-lp152.2.6.1
- (no CPE)range: < 1.42-150300.9.3.1
- (no CPE)range: < 1.42-150300.9.3.1
- (no CPE)range: < 2.2.1-lp152.4.9.1
- (no CPE)range: < 1.25.1-150100.3.13.12
- (no CPE)range: < 1.25.1-150100.3.13.12
- (no CPE)range: < 1.25.1-150100.3.13.12
- (no CPE)range: < 1.25.1-150100.3.13.12
- (no CPE)range: < 1.25.1-150100.3.13.12
- (no CPE)range: < 1.25.1-150100.3.13.12
- (no CPE)range: < 1.17.0-3.6.1
- (no CPE)range: < 1.17.0-3.6.1
- (no CPE)range: < 1.27.1-150300.8.11.1
- (no CPE)range: < 1.27.1-150400.3.8.1
- (no CPE)range: < 1.25.1-150100.3.13.12
- (no CPE)range: < 1.25.1-150100.3.13.12
- (no CPE)range: < 1.25.1-150100.3.13.12
- (no CPE)range: < 1.25.1-150100.3.13.12
- (no CPE)range: < 1.25.1-150100.3.13.12
- (no CPE)range: < 1.25.1-150100.3.13.12
- (no CPE)range: < 1.25.1-150100.3.13.12
- (no CPE)range: < 1.25.1-150100.3.13.12
- (no CPE)range: < 1.25.1-150100.3.13.12
- (no CPE)range: < 1.42-150300.9.3.1
- (no CPE)range: < 1.42-150300.9.3.1
- (no CPE)range: < 1.42-150300.9.3.1
- Red Hat/buildahv5Range: Fixed in buildah-1.14.5
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-fx8w-mjvm-hvpcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-10696ghsaADVISORY
- access.redhat.com/security/cve/cve-2020-10696ghsax_refsource_MISCWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- github.com/containers/buildah/pull/2245ghsax_refsource_MISCWEB
- pkg.go.dev/vuln/GO-2022-0828ghsaWEB
News mentions
0No linked articles in our index yet.