CVE-2020-10696: Path Traversal
First published: Thu Mar 26 2020(Updated: )
A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user's system anywhere that the user has permissions.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/containers/buildah | <1.14.4 | 1.14.4 |
| redhat/buildah | <1.14.5 | 1.14.5 |
| redhat/buildah | <0:1.11.6-11.el7_8 | 0:1.11.6-11.el7_8 |
| redhat/podman | <0:1.6.4-18.el7_8 | 0:1.6.4-18.el7_8 |
| redhat/podman | <0:1.0.2-4.dev.git96ccc2e.rhaos4.1.el8 | 0:1.0.2-4.dev.git96ccc2e.rhaos4.1.el8 |
| redhat/podman | <0:1.4.2-6.rhaos4.2.el8 | 0:1.4.2-6.rhaos4.2.el8 |
| redhat/podman | <0:1.6.4-10.rhaos4.3.el8 | 0:1.6.4-10.rhaos4.3.el8 |
| Buildah Project Buildah | <1.14.5 | |
| Redhat Openshift Container Platform | =3.11 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2020-10696
- https://github.com/containers/buildah/pull/2245
- https://access.redhat.com/security/cve/cve-2020-10696
- https://bugzilla.redhat.com/show_bug.cgi?id=1817651
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696
- https://github.com/advisories/GHSA-fx8w-mjvm-hvpc (Advisory)
- https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1817687
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1817688
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1817693
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1817691
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1817692
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1817694
- https://access.redhat.com/errata/RHSA-2020:1401
- https://access.redhat.com/errata/RHSA-2020:1396
- https://access.redhat.com/errata/RHSA-2020:1449
- https://access.redhat.com/errata/RHSA-2020:1926
- https://access.redhat.com/errata/RHSA-2020:1931
- https://access.redhat.com/errata/RHSA-2020:1932
- https://access.redhat.com/errata/RHSA-2020:2116
- https://access.redhat.com/errata/RHSA-2020:2117
- https://www.cve.org/CVERecord?id=CVE-2020-10696 https://nvd.nist.gov/vuln/detail/CVE-2020-10696
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-10696?
CVE-2020-10696 is a path traversal vulnerability found in Buildah.
How does CVE-2020-10696 affect Buildah?
CVE-2020-10696 allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user's system anywhere that the user has permissions.
What is the severity level of CVE-2020-10696?
CVE-2020-10696 has a severity level of 8.8 (high).
Which versions of Buildah are affected by CVE-2020-10696?
Versions of Buildah before 1.14.5 are affected by CVE-2020-10696.
How can I fix CVE-2020-10696 in Buildah?
To fix CVE-2020-10696 in Buildah, update to version 1.14.5 or later.
- collector/github-advisory-latest
- alias/GHSA-fx8w-mjvm-hvpc
- alias/CVE-2020-10696
- collector/github-advisory
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-cve
- agent/author
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/severity
- agent/references
- agent/remedy
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/go
- package-manager/redhat
- vendor/buildah project
- canonical/buildah project buildah
- vendor/redhat
- canonical/redhat openshift container platform
- version/redhat openshift container platform/3.11
- canonical/redhat enterprise linux
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0