rpm package
almalinux/buildah
pkg:rpm/almalinux/buildah
Vulnerabilities (100)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-34986 | Hig | 7.5 | < 2:1.41.8-3.el9_7 | 2:1.41.8-3.el9_7 | Apr 6, 2026 | Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW | |
| CVE-2025-68121 | Cri | 10.0 | < 2:1.41.8-2.el10_1 | 2:1.41.8-2.el10_1 | Feb 5, 2026 | During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and | |
| CVE-2025-61728 | — | < 2:1.33.14-3.module_el8.10.0+4136+16425343 | 2:1.33.14-3.module_el8.10.0+4136+16425343 | Jan 28, 2026 | archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. | ||
| CVE-2025-61726 | — | < 2:1.41.8-2.el10_1 | 2:1.41.8-2.el10_1 | Jan 28, 2026 | The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la | ||
| CVE-2025-65637 | — | < 2:1.33.14-2.module_el8.10.0+4120+03ad4b47 | 2:1.33.14-2.module_el8.10.0+4120+03ad4b47 | Dec 4, 2025 | A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is | ||
| CVE-2025-61729 | — | < 2:1.41.8-2.el10_1 | 2:1.41.8-2.el10_1 | Dec 2, 2025 | Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a | ||
| CVE-2025-47913 | — | < 2:1.41.8-1.el10_1 | 2:1.41.8-1.el10_1 | Nov 13, 2025 | SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. | ||
| CVE-2025-52881 | — | < 2:1.33.12-2.module_el8.10.0+4023+db236c53 | 2:1.33.12-2.module_el8.10.0+4023+db236c53 | Nov 6, 2025 | runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have | ||
| CVE-2025-52565 | — | < 2:1.33.12-2.module_el8.10.0+4023+db236c53 | 2:1.33.12-2.module_el8.10.0+4023+db236c53 | Nov 6, 2025 | runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the conta | ||
| CVE-2025-31133 | — | < 2:1.33.12-2.module_el8.10.0+4023+db236c53 | 2:1.33.12-2.module_el8.10.0+4023+db236c53 | Nov 6, 2025 | runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container | ||
| CVE-2025-58183 | Med | 4.3 | < 2:1.41.6-1.el9_7 | 2:1.41.6-1.el9_7 | Oct 29, 2025 | tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r | |
| CVE-2025-9566 | Hig | 8.1 | < 2:1.33.12-2.module_el8.10.0+4023+db236c53 | 2:1.33.12-2.module_el8.10.0+4023+db236c53 | Sep 5, 2025 | There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only | |
| CVE-2025-6032 | Hig | 8.3 | < 2:1.33.12-2.module_el8.10.0+4023+db236c53 | 2:1.33.12-2.module_el8.10.0+4023+db236c53 | Jun 24, 2025 | A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack. | |
| CVE-2025-22871 | Cri | 9.1 | < 2:1.33.12-2.module_el8.10.0+4016+efd18bf8 | 2:1.33.12-2.module_el8.10.0+4016+efd18bf8 | Apr 8, 2025 | The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. | |
| CVE-2025-22869 | — | < 2:1.33.12-1.module_el8.10.0+3959+b8dc5e6a | 2:1.33.12-1.module_el8.10.0+3959+b8dc5e6a | Feb 26, 2025 | SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. | ||
| CVE-2025-27144 | Med | — | < 2:1.39.4-1.el9_6 | 2:1.39.4-1.el9_6 | Feb 24, 2025 | Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par | |
| CVE-2024-11218 | Hig | 8.6 | < 2:1.37.6-1.el9_5 | 2:1.37.6-1.el9_5 | Jan 22, 2025 | A vulnerability was found in `podman build` and `buildah.` This issue occurs in a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. SELinux might mitigate it, but even with SELinux on, it still allows the enumeration of files and d | |
| CVE-2024-9676 | — | < 2:1.33.11-1.module_el8.10.0+3926+f12484f5 | 2:1.33.11-1.module_el8.10.0+3926+f12484f5 | Oct 15, 2024 | A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned | ||
| CVE-2024-9675 | — | < 2:1.33.10-1.el9_4 | 2:1.33.10-1.el9_4 | Oct 9, 2024 | A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as lo | ||
| CVE-2024-9407 | Med | 4.7 | < 2:1.33.10-1.module_el8.10.0+3909+6e1c1eb7 | 2:1.33.10-1.module_el8.10.0+3909+6e1c1eb7 | Oct 1, 2024 | A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensi |
- affected < 2:1.41.8-3.el9_7fixed 2:1.41.8-3.el9_7
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW
- affected < 2:1.41.8-2.el10_1fixed 2:1.41.8-2.el10_1
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
- CVE-2025-61728Jan 28, 2026affected < 2:1.33.14-3.module_el8.10.0+4136+16425343fixed 2:1.33.14-3.module_el8.10.0+4136+16425343
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
- CVE-2025-61726Jan 28, 2026affected < 2:1.41.8-2.el10_1fixed 2:1.41.8-2.el10_1
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la
- CVE-2025-65637Dec 4, 2025affected < 2:1.33.14-2.module_el8.10.0+4120+03ad4b47fixed 2:1.33.14-2.module_el8.10.0+4120+03ad4b47
A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is
- CVE-2025-61729Dec 2, 2025affected < 2:1.41.8-2.el10_1fixed 2:1.41.8-2.el10_1
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a
- CVE-2025-47913Nov 13, 2025affected < 2:1.41.8-1.el10_1fixed 2:1.41.8-1.el10_1
SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.
- CVE-2025-52881Nov 6, 2025affected < 2:1.33.12-2.module_el8.10.0+4023+db236c53fixed 2:1.33.12-2.module_el8.10.0+4023+db236c53
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have
- CVE-2025-52565Nov 6, 2025affected < 2:1.33.12-2.module_el8.10.0+4023+db236c53fixed 2:1.33.12-2.module_el8.10.0+4023+db236c53
runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the conta
- CVE-2025-31133Nov 6, 2025affected < 2:1.33.12-2.module_el8.10.0+4023+db236c53fixed 2:1.33.12-2.module_el8.10.0+4023+db236c53
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container
- affected < 2:1.41.6-1.el9_7fixed 2:1.41.6-1.el9_7
tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r
- affected < 2:1.33.12-2.module_el8.10.0+4023+db236c53fixed 2:1.33.12-2.module_el8.10.0+4023+db236c53
There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only
- affected < 2:1.33.12-2.module_el8.10.0+4023+db236c53fixed 2:1.33.12-2.module_el8.10.0+4023+db236c53
A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.
- affected < 2:1.33.12-2.module_el8.10.0+4016+efd18bf8fixed 2:1.33.12-2.module_el8.10.0+4016+efd18bf8
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
- CVE-2025-22869Feb 26, 2025affected < 2:1.33.12-1.module_el8.10.0+3959+b8dc5e6afixed 2:1.33.12-1.module_el8.10.0+3959+b8dc5e6a
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
- affected < 2:1.39.4-1.el9_6fixed 2:1.39.4-1.el9_6
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par
- affected < 2:1.37.6-1.el9_5fixed 2:1.37.6-1.el9_5
A vulnerability was found in `podman build` and `buildah.` This issue occurs in a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. SELinux might mitigate it, but even with SELinux on, it still allows the enumeration of files and d
- CVE-2024-9676Oct 15, 2024affected < 2:1.33.11-1.module_el8.10.0+3926+f12484f5fixed 2:1.33.11-1.module_el8.10.0+3926+f12484f5
A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned
- CVE-2024-9675Oct 9, 2024affected < 2:1.33.10-1.el9_4fixed 2:1.33.10-1.el9_4
A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as lo
- affected < 2:1.33.10-1.module_el8.10.0+3909+6e1c1eb7fixed 2:1.33.10-1.module_el8.10.0+3909+6e1c1eb7
A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensi
Page 1 of 5