CVE-2019-18466
Severity CVSS v4.0:
Pending analysis
Type:
CWE-59
Link Following
Publication date:
28/10/2019
Last modified:
15/01/2020
Description
An issue was discovered in Podman in libpod before 1.6.0. It resolves a symlink in the host context during a copy operation from the container to the host, because an undesired glob operation occurs. An attacker could create a container image containing particular symlinks that, when copied by a victim user to the host filesystem, may overwrite existing files with others from the host.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Base Score 2.0
5.80
Severity 2.0
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:a:libpod_project:libpod:*:*:*:*:*:*:*:* | 1.6.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00040.html
- https://access.redhat.com/errata/RHSA-2019:4269
- https://bugzilla.redhat.com/show_bug.cgi?id=1744588
- https://github.com/containers/libpod/commit/5c09c4d2947a759724f9d5aef6bac04317e03f7e
- https://github.com/containers/libpod/compare/v1.5.1...v1.6.0
- https://github.com/containers/libpod/issues/3829