First published: Tue Nov 22 2022(Updated: )
#1podman build ..." follows symlinks when reading .containerignore and .dockerignore We've received this potential security issue with Podman, and although not said, it's really in Buildah. I've asked one of our engineers (Aditya) to fix it upstream, but I think it might be wise to backport to Podman 4.1.1 as noted in the issue. Please adivise next steps and setup any CVE's or BZ's as appropriate. more information in SNow -> <a href="https://redhat.service-now.com/surl.do?n=INC2395282">https://redhat.service-now.com/surl.do?n=INC2395282</a>
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Podman Project Podman | =4.3.0 | |
Fedoraproject Fedora | =35 | |
Fedoraproject Fedora | =36 | |
Fedoraproject Fedora | =37 | |
go/github.com/containers/podman/v4 | <4.5.0 | 4.5.0 |
=4.3.0 | ||
=35 | ||
=36 | ||
=37 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-4122 is a vulnerability found in buildah that results in information disclosure due to incorrect following of symlinks while reading .containerignore and .dockerignore.
The severity of CVE-2022-4122 is medium with a CVSS score of 5.3.
Podman 4.3.0, Fedora 35, Fedora 36, and Fedora 37 are affected by CVE-2022-4122.
To fix CVE-2022-4122, update to the latest version of Podman or apply the necessary security patches provided by Fedora.
You can find more information about CVE-2022-4122 in the references provided: [link1](https://redhat.service-now.com/surl.do?n=INC2395282), [link2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2145047), [link3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2145048).