CVE-2024-9407Improper Input Validation in Containers Buildah

CWE-20Improper Input Validation9 documents7 sources
Severity
4.7MEDIUMNVD
EPSS
0.0%
top 94.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Github.com Containers BuildahGithub.com Containers PodmanGithub.com Containers Podman V2+3 more
Timeline
PublishedOct 1
Latest updateOct 9

Description

A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing t

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:NExploitability: 0.5 | Impact: 4.2

Affected Packages6 packages

🔴Vulnerability Details

5
OSV
Improper Input Validation in Buildah and Podman in github.com/containers/buildah2024-10-09
GHSA
Improper Input Validation in Buildah and Podman2024-10-01
OSV
CVE-2024-9407: A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction2024-10-01
CVEList
Buildah: podman: improper input validation in bind-propagation option of dockerfile run --mount instruction2024-10-01
OSV
Improper Input Validation in Buildah and Podman2024-10-01

📋Vendor Advisories

3
Microsoft
Buildah: podman: improper input validation in bind-propagation option of dockerfile run --mount instruction2024-10-08
Red Hat
Buildah: Podman: Improper Input Validation in bind-propagation Option of Dockerfile RUN --mount Instruction2024-10-01
Debian
CVE-2024-9407: golang-github-containers-buildah - A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mo...2024
CVE-2024-9407 — Improper Input Validation | cvebase