First published: Tue Oct 01 2024(Updated: )
A flaw in the bind-propagation option of the Dockerfile RUN --mount instruction allows arbitrary parameters to be passed to the underlying mount command. This issue enables an attacker to mount arbitrary host files into a container during the build process and potentially modify them. SELinux does not provide sufficient defense, as the attacker can specify :z or :Z to relabel the host directory for container access. The vulnerability requires an attacker to have build privileges on the system and can lead to unauthorized access and modification of host files, posing significant security risks.
Affected Software | Affected Version | How to fix |
---|
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.