Skip to content

Path Traversal in Buildah

High severity GitHub Reviewed Published May 18, 2021 to the GitHub Advisory Database • Updated Sep 29, 2023

Package

gomod github.com/containers/buildah (Go)

Affected versions

< 1.14.4

Patched versions

1.14.4

Description

A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user's system anywhere that the user has permissions.

Specific Go Packages Affected

github.com/containers/buildah/imagebuildah

References

Reviewed May 7, 2021
Published to the GitHub Advisory Database May 18, 2021
Last updated Sep 29, 2023

Severity

High
8.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2020-10696

GHSA ID

GHSA-fx8w-mjvm-hvpc

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.