Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVE-2024-9675

Medium

4.4/10

Summary

A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah. This vulnerability affects "github.com/containers/buildah" versions through v1.26.7, v1.27.0 through v1.27.4. v1.28.0 through v1.28.2, v1.29.0 through v1.29.3, v1.30.0 through v1.33.11, v1.34.0 through v1.37.4.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-22 - Path Traversal

Path traversal (or directory traversal), is a vulnerability that allows malicious users to traverse the server's root directory, gaining access to arbitrary files and folders such as application code & data, back-end credentials, and sensitive operating system files. In the worst-case scenario, an attacker could potentially execute arbitrary files on the server, resulting in a denial of service attack. Such an exploit may severely impact the integrity, confidentiality, and availability of an application.

References

Advisory Timeline

Published Oct 09, 2024

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVE-2024-9675

Summary

CWE-22 - Path Traversal

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS