High severity8.6NVD Advisory· Published Mar 18, 2024· Updated Apr 15, 2026
CVE-2024-1753
CVE-2024-1753
Description
A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/containers/podman/v4Go | < 4.9.4 | 4.9.4 |
github.com/containers/podman/v5Go | < 5.0.1 | 5.0.1 |
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
30- github.com/advisories/GHSA-874v-pj72-92f3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-1753ghsaADVISORY
- access.redhat.com/errata/RHSA-2024:2049nvdWEB
- access.redhat.com/errata/RHSA-2024:2055nvdWEB
- access.redhat.com/errata/RHSA-2024:2064nvdWEB
- access.redhat.com/errata/RHSA-2024:2066nvdWEB
- access.redhat.com/errata/RHSA-2024:2077nvdWEB
- access.redhat.com/errata/RHSA-2024:2084nvdWEB
- access.redhat.com/errata/RHSA-2024:2089nvdWEB
- access.redhat.com/errata/RHSA-2024:2090nvdWEB
- access.redhat.com/errata/RHSA-2024:2097nvdWEB
- access.redhat.com/errata/RHSA-2024:2098nvdWEB
- access.redhat.com/errata/RHSA-2024:2548nvdWEB
- access.redhat.com/errata/RHSA-2024:2645nvdWEB
- access.redhat.com/errata/RHSA-2024:2669nvdWEB
- access.redhat.com/errata/RHSA-2024:2672nvdWEB
- access.redhat.com/errata/RHSA-2024:2784nvdWEB
- access.redhat.com/errata/RHSA-2024:2877nvdWEB
- access.redhat.com/errata/RHSA-2024:3254nvdWEB
- access.redhat.com/security/cve/CVE-2024-1753nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/containers/buildah/security/advisories/GHSA-pmf3-c36m-g5cfnvdWEB
- github.com/containers/podman/security/advisories/GHSA-874v-pj72-92f3nvdWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FCRZVUDOFM5CPREQKBEU2VK2QK62PSBPghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYMVMQ7RWMDTSKQTBO734BE3WQPI2AJghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVBSVZGVABPYIHK5HZM472NPGWMI7WXHghsaWEB
- pkg.go.dev/vuln/GO-2024-2658nvdWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FCRZVUDOFM5CPREQKBEU2VK2QK62PSBP/nvd
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYMVMQ7RWMDTSKQTBO734BE3WQPI2AJ/nvd
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVBSVZGVABPYIHK5HZM472NPGWMI7WXH/nvd
News mentions
0No linked articles in our index yet.