CVE-2024-9676

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Published: Oct 15, 2024 / Updated: 35d ago

010
CVSS 6.5EPSS 0.05%Medium
CVE info copied to clipboard

A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). The containers/storage library will read /etc/passwd inside the container, but does not properly validate if that file is a symlink, which can be used to cause the library to read an arbitrary file on the host.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Timeline

Vendor Advisory

RedHat CVE advisory released a security advisory (CVE-2024-9676).

Oct 15, 2024 at 3:30 PM
CVSS

A CVSS base score of 6.5 has been assigned.

Oct 15, 2024 at 3:30 PM / redhat-cve-advisories
First Article

Feedly found the first article mentioning CVE-2024-9676. See article

Oct 15, 2024 at 3:30 PM / Red Hat CVE Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 15, 2024 at 3:30 PM
CVE Assignment

NVD published the first details for CVE-2024-9676

Oct 15, 2024 at 4:15 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 19.9%)

Oct 16, 2024 at 9:58 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (514168)

Oct 19, 2024 at 5:15 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (514169)

Oct 19, 2024 at 5:15 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (757291)

Oct 24, 2024 at 7:53 AM
Static CVE Timeline Graph

Affected Systems

Podman_project/podman
+null more

Patches

bugzilla.redhat.com
+null more

Attack Patterns

CAPEC-126: Path Traversal
+null more

Vendor Advisory

CVE-2024-9676
2317467 - Podman: Buildah: CRI-O: symlink traversal vulnerability in the containers/storage library can cause Denial of Service (DoS) Red Hat Enterprise Linux 8 - container-tools:rhel8/buildah - Affected

References

Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.14
The vulnerability exists due to NULL pointer dereference within the TEMP_TO_REG() and w83793_detect_subclients() functions in drivers/hwmon/w83793.c. A local user can perform a denial of service (DoS) attack. The vulnerability allows a local user to perform a denial of service (DoS) attack.
Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.12
The vulnerability exists due to NULL pointer dereference within the rpcrdma_ep_create() function in net/sunrpc/xprtrdma/verbs.c. A local user can perform a denial of service (DoS) attack. The vulnerability exists due to NULL pointer dereference within the TEMP_TO_REG() and w83793_detect_subclients() functions in drivers/hwmon/w83793.c. A local user can perform a denial of service (DoS) attack.

News

RHSA-2024:9615: Moderate: OpenShift Container Platform 4.16.23 bug fix and security update
All OpenShift Container Platform 4.16 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. Red Hat OpenShift Container Platform release 4.16.23 is now available with updates to packages and images that fix several bugs and add enhancements.This release includes a security update for Red Hat OpenShift Container Platform 4.16.Red Hat Product Security has rated this update as having a security impact of Moderate.
RockyLinux 9 : podman (RLSA-2024:9051)
Nessus Plugin ID 211601 with Medium Severity Synopsis The remote RockyLinux host is missing one or more security updates. Description The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2024:9051 advisory. * Buildah: Podman: Improper Input Validation in bind-propagation Option of Dockerfile RUN --mount Instruction (CVE-2024-9407) * buildah: Buildah allows arbitrary directory mount (CVE-2024-9675) * Podman: Buildah: CRI-O: symlink traversal vulnerability in the containers/storage library can cause Denial of Service (DoS) (CVE-2024-9676) Tenable has extracted the preceding description block directly from the RockyLinux security advisory. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
rocky_linux RLSA-2024:9051: RLSA-2024:9051: podman security update (Important)
Development Last Updated: 11/19/2024 CVEs: CVE-2024-9407 , CVE-2024-9676 , CVE-2024-9675
Red Hat Enterprise Linux 9 update for buildah
This issue can be exploited to mount sensitive directories from the host into a container during the build process and, A local user can create a symbolic link to an arbitrary file on the system, force the library to read it and perform a denial of service (DoS) attack.
KRB5, Python, Libvirt, and more updates for AlmaLinux
The virt:rhel module contains packageswhich provide user-space components used to run virtual machines using KVM.The packages also provide APIs for managing and interacting with the virtualized systems. Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2024-9452.html
See 85 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:None
Integrity:None
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI