GHSA-49p4-px3h-rq49MediumCVSS 6.3
Build breakout using malicious Containerfile and Git Smart HTTP server or GitHub release tar archive
🔗 CVE IDs covered (1)
📋 Description
Impact
When processing a build contexts or add/copy instructions, a malicious server serving a Git repository or a tar archive file can cause files outside of the build context directory to be included in the build context or copied into the build.
Patches
Fixed in Buildah 1.44 and 1.43.2.
🎯 Affected products1
- go/github.com/containers/buildah:>= 1.38.1, < 1.43.2