Buildah Project Buildah vulnerabilities

CVE-2022-2990 [HIGH] CWE-842 CVE-2022-2990: An incorrect handling of the supplementary groups in the Buildah container engine might lead to the An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.

CVE-2022-27651 [MEDIUM] CWE-276 CVE-2022-27651: A flaw was found in buildah where containers were incorrectly started with non-empty default permiss A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilitie

CVE-2021-3602 [MEDIUM] CWE-200 CVE-2021-3602: An information disclosure flaw was found in Buildah, when building containers using chroot isolation An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that w

CVE-2020-10696 [HIGH] CWE-22 CVE-2020-10696: A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker t A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user's system anywhere that the user has permissions.