CVE-2020-10696

A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user's system anywhere that the user has permissions.

References

Affected packages

Debian:11 / golang-github-containers-buildah

Package

Name: golang-github-containers-buildah
Purl: pkg:deb/debian/golang-github-containers-buildah?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.11.6-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / golang-github-containers-buildah

Package

Name: golang-github-containers-buildah
Purl: pkg:deb/debian/golang-github-containers-buildah?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.11.6-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / golang-github-containers-buildah

Package

Name: golang-github-containers-buildah
Purl: pkg:deb/debian/golang-github-containers-buildah?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.11.6-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/containers/buildah

Affected ranges

Type: GIT
Repo: https://github.com/containers/buildah
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

5247a1f1a3b3ccf3c2ee9b45f67305c517e2d304

Affected versions

1.*

1.4

v0.*

v0.1

v0.10

v0.12

v0.15

v0.2

v0.3

v0.4

v0.5

v0.6

v0.7

v0.8

v1.*

v1.1

v1.10.0

v1.10.1

v1.11.0

v1.11.1

v1.11.2

v1.11.3

v1.11.4

v1.11.5

v1.11.6

v1.12.0

v1.13.2

v1.14.0

v1.14.1

v1.14.2

v1.14.3

v1.14.4

v1.3

v1.4

v1.5

v1.6

v1.7

v1.7.1

v1.7.2

v1.7.3

v1.8.0

v1.8.1

v1.8.2

v1.8.3

v1.8.4

v1.9.0

v1.9.1

v1.9.2