CVE-2020-10696

Description

A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user's system anywhere that the user has permissions.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

Red Hat / buildahFixed in buildah-1.14.5 – Fixed in buildah-1.14.5

References

MISChttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696
PATCHhttps://github.com/containers/buildah/pull/2245
VENDOR_ADVISORYhttps://access.redhat.com/security/cve/cve-2020-10696