CVE-2019-18466 — Link Following in Containers Libpod

CWE-59 — Link Following9 documents7 sources

Severity

5.5MEDIUMNVD

EPSS

0.8%

top 25.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Containers Libpod Github.com Containers Podman V4 Libpod Project Libpod

Timeline

PublishedOct 28

Latest updateAug 20

Description

An issue was discovered in Podman in libpod before 1.6.0. It resolves a symlink in the host context during a copy operation from the container to the host, because an undesired glob operation occurs. An attacker could create a container image containing particular symlinks that, when copied by a victim user to the host filesystem, may overwrite existing files with others from the host.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶Gogithub.com/containers_libpod< 1.6.0

▶Gogithub.com/containers_podman_v4< 1.6.0

▶NVDlibpod_project/libpod< 1.6.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Podman Symlink Vulnerability in github.com/containers/libpod↗2024-08-20

▶

OSV

Podman Symlink Vulnerability↗2022-05-24

▶

GHSA

Podman Symlink Vulnerability↗2022-05-24

▶

CVEList

CVE-2019-18466: An issue was discovered in Podman in libpod before 1↗2019-10-28

▶

📋Vendor Advisories

Red Hat

podman: resolving symlink in host filesystem leads to unexpected results of copy operation↗2019-08-22

▶

Debian

CVE-2019-18466: libpod - An issue was discovered in Podman in libpod before 1.6.0. It resolves a symlink ...↗2019

▶

💬Community

Bugzilla

CVE-2019-18466 podman: resolving symlink in host filesystem leads to unexpected results of copy operation [fedora-all]↗2019-09-23

▶

Bugzilla

CVE-2019-18466 podman: resolving symlink in host filesystem leads to unexpected results of copy operation↗2019-08-22

▶