rpm package
almalinux/podman
pkg:rpm/almalinux/podman
Vulnerabilities (106)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-27144 | Med | — | < 6:5.4.0-9.el10_0 | 6:5.4.0-9.el10_0 | Feb 24, 2025 | Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par | |
| CVE-2024-11218 | Hig | 8.6 | < 4:5.2.2-13.el9_5 | 4:5.2.2-13.el9_5 | Jan 22, 2025 | A vulnerability was found in `podman build` and `buildah.` This issue occurs in a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. SELinux might mitigate it, but even with SELinux on, it still allows the enumeration of files and d | |
| CVE-2024-9676 | — | < 4:4.9.4-18.module_el8.10.0+3926+f12484f5 | 4:4.9.4-18.module_el8.10.0+3926+f12484f5 | Oct 15, 2024 | A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned | ||
| CVE-2024-9675 | — | < 4:4.9.4-15.module_el8.10.0+3909+6e1c1eb7 | 4:4.9.4-15.module_el8.10.0+3909+6e1c1eb7 | Oct 9, 2024 | A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as lo | ||
| CVE-2024-9407 | Med | 4.7 | < 4:4.9.4-15.module_el8.10.0+3909+6e1c1eb7 | 4:4.9.4-15.module_el8.10.0+3909+6e1c1eb7 | Oct 1, 2024 | A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensi | |
| CVE-2024-9341 | — | < 4:4.9.4-13.el9_4 | 4:4.9.4-13.el9_4 | Oct 1, 2024 | A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting se | ||
| CVE-2024-34158 | Hig | 7.5 | < 4:4.9.4-13.module_el8.10.0+3901+4b80ecd7 | 4:4.9.4-13.module_el8.10.0+3901+4b80ecd7 | Sep 6, 2024 | Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. | |
| CVE-2024-34156 | Hig | 7.5 | < 4:4.9.4-13.module_el8.10.0+3901+4b80ecd7 | 4:4.9.4-13.module_el8.10.0+3901+4b80ecd7 | Sep 6, 2024 | Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. | |
| CVE-2024-34155 | Med | 4.3 | < 4:4.9.4-13.module_el8.10.0+3901+4b80ecd7 | 4:4.9.4-13.module_el8.10.0+3901+4b80ecd7 | Sep 6, 2024 | Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. | |
| CVE-2024-24791 | Hig | 7.5 | < 4:4.9.4-13.module_el8.10.0+3898+7a25cb1a | 4:4.9.4-13.module_el8.10.0+3898+7a25cb1a | Jul 2, 2024 | The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co | |
| CVE-2024-37298 | Hig | 7.5 | < 4:4.9.4-12.module_el8.10.0+3876+e55593a8 | 4:4.9.4-12.module_el8.10.0+3876+e55593a8 | Jul 1, 2024 | gorilla/schema converts structs to and from form values. Prior to version 1.4.1 Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality | |
| CVE-2024-6104 | — | < 4:4.9.4-12.module_el8.10.0+3876+e55593a8 | 4:4.9.4-12.module_el8.10.0+3876+e55593a8 | Jun 24, 2024 | go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7. | ||
| CVE-2024-24789 | — | < 4:4.9.4-12.module_el8.10.0+3876+e55593a8 | 4:4.9.4-12.module_el8.10.0+3876+e55593a8 | Jun 5, 2024 | The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip pac | ||
| CVE-2024-3727 | Hig | 8.3 | < 4:4.9.4-12.module_el8.10.0+3876+e55593a8 | 4:4.9.4-12.module_el8.10.0+3876+e55593a8 | May 14, 2024 | A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks. | |
| CVE-2024-24788 | Med | 5.9 | < 4:4.9.4-13.module_el8.10.0+3898+7a25cb1a | 4:4.9.4-13.module_el8.10.0+3898+7a25cb1a | May 8, 2024 | A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop. | |
| CVE-2024-1394 | Hig | 7.5 | < 4:4.9.4-5.el9_4 | 4:4.9.4-5.el9_4 | Mar 21, 2024 | A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and | |
| CVE-2024-1753 | Hig | 8.6 | < 2:4.0.2-26.module_el8.9.0+3722+7fd8ab2b.alma.1 | 2:4.0.2-26.module_el8.9.0+3722+7fd8ab2b.alma.1 | Mar 18, 2024 | A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause t | |
| CVE-2024-28180 | — | < 4:4.9.4-1.module_el8.10.0+3845+87b84552 | 4:4.9.4-1.module_el8.10.0+3845+87b84552 | Mar 9, 2024 | Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now ret | ||
| CVE-2024-28176 | — | < 4:4.9.4-4.el9_4 | 4:4.9.4-4.el9_4 | Mar 9, 2024 | jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encrypt | ||
| CVE-2024-24786 | Hig | 7.5 | < 4:4.9.4-3.el9_4 | 4:4.9.4-3.el9_4 | Mar 5, 2024 | The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. |
- affected < 6:5.4.0-9.el10_0fixed 6:5.4.0-9.el10_0
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par
- affected < 4:5.2.2-13.el9_5fixed 4:5.2.2-13.el9_5
A vulnerability was found in `podman build` and `buildah.` This issue occurs in a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. SELinux might mitigate it, but even with SELinux on, it still allows the enumeration of files and d
- CVE-2024-9676Oct 15, 2024affected < 4:4.9.4-18.module_el8.10.0+3926+f12484f5fixed 4:4.9.4-18.module_el8.10.0+3926+f12484f5
A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned
- CVE-2024-9675Oct 9, 2024affected < 4:4.9.4-15.module_el8.10.0+3909+6e1c1eb7fixed 4:4.9.4-15.module_el8.10.0+3909+6e1c1eb7
A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as lo
- affected < 4:4.9.4-15.module_el8.10.0+3909+6e1c1eb7fixed 4:4.9.4-15.module_el8.10.0+3909+6e1c1eb7
A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensi
- CVE-2024-9341Oct 1, 2024affected < 4:4.9.4-13.el9_4fixed 4:4.9.4-13.el9_4
A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting se
- affected < 4:4.9.4-13.module_el8.10.0+3901+4b80ecd7fixed 4:4.9.4-13.module_el8.10.0+3901+4b80ecd7
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
- affected < 4:4.9.4-13.module_el8.10.0+3901+4b80ecd7fixed 4:4.9.4-13.module_el8.10.0+3901+4b80ecd7
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
- affected < 4:4.9.4-13.module_el8.10.0+3901+4b80ecd7fixed 4:4.9.4-13.module_el8.10.0+3901+4b80ecd7
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
- affected < 4:4.9.4-13.module_el8.10.0+3898+7a25cb1afixed 4:4.9.4-13.module_el8.10.0+3898+7a25cb1a
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co
- affected < 4:4.9.4-12.module_el8.10.0+3876+e55593a8fixed 4:4.9.4-12.module_el8.10.0+3876+e55593a8
gorilla/schema converts structs to and from form values. Prior to version 1.4.1 Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality
- CVE-2024-6104Jun 24, 2024affected < 4:4.9.4-12.module_el8.10.0+3876+e55593a8fixed 4:4.9.4-12.module_el8.10.0+3876+e55593a8
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
- CVE-2024-24789Jun 5, 2024affected < 4:4.9.4-12.module_el8.10.0+3876+e55593a8fixed 4:4.9.4-12.module_el8.10.0+3876+e55593a8
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip pac
- affected < 4:4.9.4-12.module_el8.10.0+3876+e55593a8fixed 4:4.9.4-12.module_el8.10.0+3876+e55593a8
A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
- affected < 4:4.9.4-13.module_el8.10.0+3898+7a25cb1afixed 4:4.9.4-13.module_el8.10.0+3898+7a25cb1a
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
- affected < 4:4.9.4-5.el9_4fixed 4:4.9.4-5.el9_4
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and
- affected < 2:4.0.2-26.module_el8.9.0+3722+7fd8ab2b.alma.1fixed 2:4.0.2-26.module_el8.9.0+3722+7fd8ab2b.alma.1
A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause t
- CVE-2024-28180Mar 9, 2024affected < 4:4.9.4-1.module_el8.10.0+3845+87b84552fixed 4:4.9.4-1.module_el8.10.0+3845+87b84552
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now ret
- CVE-2024-28176Mar 9, 2024affected < 4:4.9.4-4.el9_4fixed 4:4.9.4-4.el9_4
jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encrypt
- affected < 4:4.9.4-3.el9_4fixed 4:4.9.4-3.el9_4
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
Page 2 of 6