VYPR
← All advisories
Moderate severityGHSA Advisory· Published Oct 1, 2024· Updated Mar 19, 2026

Podman: buildah: cri-o: fips crypto-policy directory mounting issue in containers/common go library

CVE-2024-9341

Description

A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

When FIPS mode is enabled, improper file path validation in the containers/common Go library allows an attacker to use symbolic links to mount sensitive host directories inside a container, breaking isolation.

Vulnerability

CVE-2024-9341 is a flaw in the containers/common Go library, which is used by container runtimes and tools such as Podman, Buildah, and CRI-O. When FIPS mode is enabled on a system, the library incorrectly validates certain file paths, allowing symbolic links to bypass intended restrictions [1][2][3][4].

Exploitation

An attacker who can craft a container image or influence its configuration can exploit this issue by embedding symbolic links that point to sensitive host directories. Because the path validation does not properly handle symlinks when FIPS mode is active, the container runtime may mount those host paths inside the container, bypassing the isolation that normally prevents access to the host filesystem [1]. No authentication is required beyond the ability to deploy or modify a container.

Impact

Successful exploitation allows an attacker to read or write arbitrary files on the host system from within a container, including sensitive data such as credentials, configuration files, and other critical host resources. This effectively breaks the security boundary between the container and the host, leading to a full compromise of the host's confidentiality and integrity [1][4].

Mitigation

Red Hat has released updated packages for OpenShift Container Platform 4.15, 4.16, and 4.17 that address this vulnerability [1][2][3][4]. Users are advised to upgrade to the fixed versions. There is no indication of active exploitation in the wild, and the issue is rated as Moderate severity.

References
  1. https://access.redhat.com/errata/RHSA-2024:8263
  2. https://access.redhat.com/errata/RHSA-2024:8428
  3. https://access.redhat.com/errata/RHSA-2024:7925
  4. https://access.redhat.com/errata/RHSA-2024:10147

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/containers/commonGo
< 0.60.40.60.4

Affected products

106

Patches

1
e7db06585c32

pkg/subscriptions: use securejoin for the container path

https://github.com/containers/commonPaul HolzingerSep 27, 2024via ghsa
commit
1 file changed · +5 1
  • pkg/subscriptions/subscriptions.go+5 1 modified
    @@ -11,6 +11,7 @@ import (
 	"github.com/containers/common/pkg/umask"
 	"github.com/containers/storage/pkg/fileutils"
 	"github.com/containers/storage/pkg/idtools"
+	securejoin "github.com/cyphar/filepath-securejoin"
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
@@ -346,7 +347,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint,
 
 	srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
 	destDir := "/etc/crypto-policies/back-ends"
-	srcOnHost := filepath.Join(mountPoint, srcBackendDir)
+	srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir)
+	if err != nil {
+		return fmt.Errorf("resolve %s in the container: %w", srcBackendDir, err)
+	}
 	if err := fileutils.Exists(srcOnHost); err != nil {
 		if errors.Is(err, os.ErrNotExist) {
 			return nil

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

20

News mentions

0

No linked articles in our index yet.