CVE-2022-4123
Description
A flaw was found in Buildah. The local path and the lowest subdirectory may be disclosed due to incorrect absolute path traversal, resulting in an impact to confidentiality.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Buildah absolute path traversal vulnerability discloses local path and subdirectory information.
CVE-2022-4123 is an absolute path traversal vulnerability in Buildah, a tool for building OCI container images. The flaw arises from incorrect handling of absolute paths, allowing an attacker to infer the local path and the lowest subdirectory of the build context. This issue was identified in the context of Podman remote builds, where the build context is transmitted to a remote server [2][3].
Exploitation involves crafting a build request with a malicious Dockerfile path relative to the build context. When using podman-remote, the remote server incorrectly resolves the path, revealing information about the local filesystem structure. Specifically, specifying a Dockerfile outside the build root via the -f option can trigger an error that discloses the path. No authentication beyond normal build permissions is required [3].
Successful exploitation impacts confidentiality by leaking the local path and lowest subdirectory name. This information can aid an attacker in mapping the filesystem structure of the build host, potentially leading to further attacks. However, the vulnerability does not allow reading file contents, only path disclosure [2].
The issue has been addressed in a commit to the Buildah/Podman codebase [4]. Users are advised to update to the latest version of Podman/Buildah that includes the fix. As of the publication date, no exploitation in the wild has been reported [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/containers/podman/v4Go | >= 4.1.0-rc1, <= 4.4.1 | — |
Affected products
2- Buildah/Buildahdescription
Patches
17934b77dd537Merge pull request #13531 from cdoern/build
2 files changed · +22 −9
pkg/bindings/images/build.go+19 −7 modified@@ -241,7 +241,9 @@ func Build(ctx context.Context, containerFiles []string, options entities.BuildO params.Add("platform", platform) } } - if contextDir, err := filepath.EvalSymlinks(options.ContextDirectory); err == nil { + var err error + var contextDir string + if contextDir, err = filepath.EvalSymlinks(options.ContextDirectory); err == nil { options.ContextDirectory = contextDir } @@ -301,7 +303,6 @@ func Build(ctx context.Context, containerFiles []string, options entities.BuildO var ( headers http.Header - err error ) if options.SystemContext != nil && options.SystemContext.DockerAuthConfig != nil { headers, err = auth.MakeXRegistryAuthHeader(options.SystemContext, options.SystemContext.DockerAuthConfig.Username, options.SystemContext.DockerAuthConfig.Password) @@ -325,7 +326,7 @@ func Build(ctx context.Context, containerFiles []string, options entities.BuildO } } - contextDir, err := filepath.Abs(options.ContextDirectory) + contextDir, err = filepath.Abs(options.ContextDirectory) if err != nil { logrus.Errorf("Cannot find absolute path of %v: %v", options.ContextDirectory, err) return nil, err @@ -556,16 +557,27 @@ func nTar(excludes []string, sources ...string) (io.ReadCloser, error) { merr = multierror.Append(merr, err) return } - err = filepath.Walk(s, func(path string, info os.FileInfo, err error) error { if err != nil { return err } - if path == s { - return nil // skip root dir + // check if what we are given is an empty dir, if so then continue w/ it. Else return. + // if we are given a file or a symlink, we do not want to exclude it. + if info.IsDir() && s == path { + var p *os.File + p, err = os.Open(path) + if err != nil { + return err + } + defer p.Close() + _, err = p.Readdir(1) + if err != io.EOF { + return nil // non empty root dir, need to return + } else if err != nil { + logrus.Errorf("Error while reading directory %v: %v", path, err) + } } - name := filepath.ToSlash(strings.TrimPrefix(path, s+string(filepath.Separator))) excluded, err := pm.Matches(name) // nolint:staticcheck
test/e2e/build_test.go+3 −2 modified@@ -734,10 +734,11 @@ RUN ls /dev/test1`, ALPINE) err = os.Mkdir("relative", 0755) Expect(err).To(BeNil()) containerFilePath := filepath.Join("relative", "Containerfile") - fmt.Println(containerFilePath) + err = os.Mkdir("relative/build-root", 0755) + Expect(err).To(BeNil()) err = ioutil.WriteFile(containerFilePath, []byte(containerFile), 0755) Expect(err).To(BeNil()) - build := podmanTest.Podman([]string{"build", "-f", "./relative/Containerfile"}) + build := podmanTest.Podman([]string{"build", "-f", "./relative/Containerfile", "./relative/build-root"}) build.WaitWithDefaultTimeout() Expect(build).To(Exit(0)) err = os.RemoveAll("relative")
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-rprg-4v7q-87v7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-4123ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsaWEB
- github.com/containers/podman/commit/7934b77dd5372c22063686a218b8b48c2fcaca8cghsaWEB
- github.com/containers/podman/issues/13293ghsaWEB
- github.com/containers/podman/pull/13531ghsaWEB
- pkg.go.dev/vuln/GO-2022-1159ghsaWEB
News mentions
0No linked articles in our index yet.