CVE-2024-9675

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Published: Oct 9, 2024 / Updated: 42d ago

010
CVSS 4.4EPSS 0.04%Medium
CVE info copied to clipboard

Summary

A vulnerability has been identified in Buildah related to improper limitation of a pathname to a restricted directory, commonly known as a 'Path Traversal' vulnerability. Cache mounts do not properly validate that user-specified paths for the cache are within the cache directory. This allows a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container, as long as those files can be accessed by the user running Buildah.

Impact

This vulnerability allows a local attacker with low privileges to potentially access or manipulate files outside of the intended directory structure. The impact on confidentiality and integrity is low, while there is no impact on availability. The attack vector is local, requiring the attacker to have local access to the system. No user interaction is needed for the exploit to succeed. This could lead to unauthorized access to sensitive files or potential manipulation of system files, compromising the security and integrity of the host system.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available for this vulnerability. The issue has been addressed in a bugfix, which can be found on Red Hat's Bugzilla tracking system under bug ID 2317458. The patch was added on October 8, 2024. Additionally, a GitHub Advisory (GHSA-586p-749j-fhwp) related to this vulnerability was published on October 9, 2024.

Mitigation

To mitigate this vulnerability: 1. Apply the available patch as soon as possible. Update Buildah to the latest patched version. 2. Implement the principle of least privilege, restricting local access to systems running Buildah. 3. Monitor for any suspicious local activity or unexpected file access patterns. 4. Consider implementing additional access controls and input validation mechanisms to prevent path traversal attempts. 5. Regularly review and validate container file configurations to ensure they don't include potentially malicious RUN instructions.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Timeline

Vendor Advisory

RedHat CVE advisory released a security advisory (CVE-2024-9675).

Oct 9, 2024 at 3:00 AM
CVSS

A CVSS base score of 4.4 has been assigned.

Oct 9, 2024 at 3:00 AM / redhat-cve-advisories
First Article

Feedly found the first article mentioning CVE-2024-9675. See article

Oct 9, 2024 at 3:03 AM / Red Hat CVE Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 9, 2024 at 3:03 AM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 9, 2024 at 6:03 AM
CVE Assignment

NVD published the first details for CVE-2024-9675

Oct 9, 2024 at 3:15 PM
Vendor Advisory

GitHub Advisories released a security advisory.

Oct 9, 2024 at 3:32 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 11.2%)

Oct 10, 2024 at 11:27 AM
CVSS

A CVSS base score of 4.4 has been assigned.

Oct 10, 2024 at 12:55 PM / nvd
Static CVE Timeline Graph

Affected Systems

Buildah_project/buildah
+null more

Patches

bugzilla.redhat.com
+null more

Attack Patterns

CAPEC-126: Path Traversal
+null more

Vendor Advisory

[GHSA-586p-749j-fhwp] Buildah allows arbitrary directory mount
GitHub Security Advisory: GHSA-586p-749j-fhwp Release Date: 2024-10-09 Update Date: 2024-10-09 Severity: Moderate CVE-2024-9675 Package Information Package: github.com/containers/buildah Affected Versions: Patched Versions: None Description A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a RUN instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah. References https://nvd.nist.gov/vuln/detail/CVE-2024-9675 https://access.redhat.com/security/cve/CVE-2024-9675 https://bugzilla.redhat.com/show_bug.cgi?id=2317458

References

Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.14
The vulnerability exists due to NULL pointer dereference within the TEMP_TO_REG() and w83793_detect_subclients() functions in drivers/hwmon/w83793.c. A local user can perform a denial of service (DoS) attack. The vulnerability allows a local user to perform a denial of service (DoS) attack.

News

RHSA-2024:9615: Moderate: OpenShift Container Platform 4.16.23 bug fix and security update
All OpenShift Container Platform 4.16 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. Red Hat OpenShift Container Platform release 4.16.23 is now available with updates to packages and images that fix several bugs and add enhancements.This release includes a security update for Red Hat OpenShift Container Platform 4.16.Red Hat Product Security has rated this update as having a security impact of Moderate.
RockyLinux 9 : podman (RLSA-2024:9051)
Nessus Plugin ID 211601 with Medium Severity Synopsis The remote RockyLinux host is missing one or more security updates. Description The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2024:9051 advisory. * Buildah: Podman: Improper Input Validation in bind-propagation Option of Dockerfile RUN --mount Instruction (CVE-2024-9407) * buildah: Buildah allows arbitrary directory mount (CVE-2024-9675) * Podman: Buildah: CRI-O: symlink traversal vulnerability in the containers/storage library can cause Denial of Service (DoS) (CVE-2024-9676) Tenable has extracted the preceding description block directly from the RockyLinux security advisory. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
rocky_linux RLSA-2024:9051: RLSA-2024:9051: podman security update (Important)
Development Last Updated: 11/19/2024 CVEs: CVE-2024-9407 , CVE-2024-9676 , CVE-2024-9675
KRB5, Python, Libvirt, and more updates for AlmaLinux
The virt:rhel module contains packageswhich provide user-space components used to run virtual machines using KVM.The packages also provide APIs for managing and interacting with the virtualized systems. Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-9452.html
SUSE update for buildah
This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue can be exploited to mount sensitive directories from the host into a container during the build process and,
See 114 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI