VYPR

apk package

wolfi/buildah

pkg:apk/wolfi/buildah

Vulnerabilities (89)

  • CVE-2024-24791HigJul 2, 2024
    affected < 1.36.0-r2fixed 1.36.0-r2

    The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co

  • CVE-2024-24789Jun 5, 2024
    affected < 1.36.0-r1fixed 1.36.0-r1

    The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip pac

  • CVE-2024-24790Jun 5, 2024
    affected < 1.36.0-r1fixed 1.36.0-r1

    The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

  • CVE-2024-3727HigMay 14, 2024
    affected < 1.35.4-r0fixed 1.35.4-r0

    A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.

  • CVE-2024-3154HigApr 26, 2024
    affected < 1.35.3-r1fixed 1.35.3-r1

    A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.

  • CVE-2022-2990HigSep 13, 2022
    affected < 0fixed 0

    An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissi

  • CVE-2022-27651MedApr 4, 2022
    affected < 0fixed 0

    A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to p

  • CVE-2021-3602MedMar 3, 2022
    affected < 0fixed 0

    An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD en

  • CVE-2020-10696HigMar 31, 2020
    affected < 0fixed 0

    A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user's system anywhere that the user has permissions.

Page 5 of 5