CVE-2024-9341

EUVD-2024-3079

01.10.2024, 19:15

A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.

Link Following

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.4 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 76%

Affected Products (NVD)

Vendor	Product	Version
containers	common	*
redhat	openshift_container_platform	4.12
redhat	openshift_container_platform	4.13
redhat	openshift_container_platform	4.14
redhat	openshift_container_platform	4.15
redhat	openshift_container_platform	4.16
redhat	openshift_container_platform	4.17
redhat	enterprise_linux	8.0
redhat	enterprise_linux	9.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

golang-github-containers-common

bookworm	no-dsa
bullseye	postponed
forky	0.66.0+ds2-3 fixed
sid	0.66.0+ds2-3 fixed
trixie	0.62.2+ds1-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

golang-github-containers-common

focal	dne
jammy	needs-triage
noble	needs-triage
oracular	ignored
plucky	needs-triage
questing	needs-triage

openSUSE / SLES Releases

openSUSE Product

Release

buildah

suse enterprise sap 15 SP5	1.35.4-150500.3.13.1 fixed
suse enterprise sap 15 SP6	1.35.4-150500.3.13.1 fixed
suse enterprise sap 15 SP7	1.35.4-150500.3.13.1 fixed
suse enterprise server 15 SP3	1.35.4-150300.8.28.3 fixed
suse enterprise server 15 SP4	1.35.4-150400.3.33.1 fixed
suse enterprise server 15 SP5	1.35.4-150500.3.13.1 fixed
suse enterprise server 15 SP6	1.35.4-150500.3.13.1 fixed
suse enterprise server 15 SP7	1.35.4-150500.3.13.1 fixed

podman

suse enterprise sap 15 SP5	4.9.5-150500.3.18.1 fixed
suse enterprise sap 15 SP6	4.9.5-150500.3.18.1 fixed
suse enterprise sap 15 SP7	4.9.5-150500.3.18.1 fixed
suse enterprise server 15 SP3	4.9.5-150300.9.43.1 fixed
suse enterprise server 15 SP4	4.9.5-150400.4.35.1 fixed
suse enterprise server 15 SP5	4.9.5-150500.3.18.1 fixed
suse enterprise server 15 SP6	4.9.5-150500.3.18.1 fixed
suse enterprise server 15 SP7	4.9.5-150500.3.18.1 fixed

podman-docker

suse enterprise sap 15 SP5	4.9.5-150500.3.18.1 fixed
suse enterprise sap 15 SP6	4.9.5-150500.3.18.1 fixed
suse enterprise sap 15 SP7	4.9.5-150500.3.18.1 fixed
suse enterprise server 15 SP4	4.9.5-150400.4.35.1 fixed
suse enterprise server 15 SP5	4.9.5-150500.3.18.1 fixed
suse enterprise server 15 SP6	4.9.5-150500.3.18.1 fixed
suse enterprise server 15 SP7	4.9.5-150500.3.18.1 fixed

podman-remote

suse enterprise sap 15 SP5	4.9.5-150500.3.18.1 fixed
suse enterprise sap 15 SP6	4.9.5-150500.3.18.1 fixed
suse enterprise sap 15 SP7	4.9.5-150500.3.18.1 fixed
suse enterprise server 15 SP3	4.9.5-150300.9.43.1 fixed
suse enterprise server 15 SP4	4.9.5-150400.4.35.1 fixed
suse enterprise server 15 SP5	4.9.5-150500.3.18.1 fixed
suse enterprise server 15 SP6	4.9.5-150500.3.18.1 fixed
suse enterprise server 15 SP7	4.9.5-150500.3.18.1 fixed

podmansh

suse enterprise sap 15 SP5	4.9.5-150500.3.18.1 fixed
suse enterprise sap 15 SP6	4.9.5-150500.3.18.1 fixed
suse enterprise sap 15 SP7	4.9.5-150500.3.18.1 fixed
suse enterprise server 15 SP5	4.9.5-150500.3.18.1 fixed
suse enterprise server 15 SP6	4.9.5-150500.3.18.1 fixed
suse enterprise server 15 SP7	4.9.5-150500.3.18.1 fixed