CVE-2023-0778Time-of-check Time-of-use (TOCTOU) Race Condition in Containers Podman V4

CWE-367Time-of-check Time-of-use (TOCTOU) Race Condition9 documents7 sources
Severity
6.8MEDIUMNVD
EPSS
0.1%
top 70.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Libpod Project LibpodGithub.com Containers Podman V4Podman Project Podman+1 more
Timeline
PublishedMar 27
Latest updateApr 3

Description

A Time-of-check Time-of-use (TOCTOU) flaw was found in podman. This issue may allow a malicious user to replace a normal file in a volume with a symlink while exporting the volume, allowing for access to arbitrary files on the host file system.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.6 | Impact: 5.2

Affected Packages3 packages

CVEListV5podman_project/podmanunknown
Debianlibpod_project/libpod< 4.3.1+ds1-7

Also affects: Enterprise Linux 8.0, 9.0

🔴Vulnerability Details

5
OSV
Time-of-check time-of-use race condition in github.com/containers/podman/v42023-04-03
GHSA
Podman Time-of-check Time-of-use (TOCTOU) Race Condition2023-03-27
OSV
CVE-2023-0778: A Time-of-check Time-of-use (TOCTOU) flaw was found in podman2023-03-27
OSV
Podman Time-of-check Time-of-use (TOCTOU) Race Condition2023-03-27
CVEList
CVE-2023-0778: A Time-of-check Time-of-use (TOCTOU) flaw was found in podman2023-03-27

📋Vendor Advisories

3
Microsoft
A Time-of-check Time-of-use (TOCTOU) flaw was found in podman. This issue may allow a malicious user to replace a normal file in a volume with a symlink while exporting the volume, allowing for access2023-03-14
Red Hat
podman: symlink exchange attack in podman export volume2023-02-15
Debian
CVE-2023-0778: libpod - A Time-of-check Time-of-use (TOCTOU) flaw was found in podman. This issue may al...2023