CVE-2019-18466
Summary
| CVE | CVE-2019-18466 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2019-10-28 13:15:00 UTC |
|---|
| Updated | 2020-01-15 14:15:00 UTC |
|---|
| Description | An issue was discovered in Podman in libpod before 1.6.0. It resolves a symlink in the host context during a copy operation from the container to the host, because an undesired glob operation occurs. An attacker could create a container image containing particular symlinks that, when copied by a victim user to the host filesystem, may overwrite existing files with others from the host. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| Merge pull request #3942 from jwhonce/issue/3829 · containers/podman@5c09c4d · GitHub |
MISC |
github.com |
Patch |
| [security-announce] openSUSE-SU-2020:0398-1: moderate: Security update f |
SUSE |
lists.opensuse.org |
|
| 1744588 – (CVE-2019-18466) CVE-2019-18466 podman: resolving symlink in host filesystem leads to unexpected results of copy operation |
MISC |
bugzilla.redhat.com |
Issue Tracking, Third Party Advisory |
| podman cp dereferences symlink in host context after filepath.Glob(srcPath) · Issue #3829 · containers/podman · GitHub |
MISC |
github.com |
Exploit, Third Party Advisory |
| Comparing v1.5.1...v1.6.0 · containers/podman · GitHub |
MISC |
github.com |
Patch |
| Red Hat Customer Portal |
REDHAT |
access.redhat.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 377377 Alibaba Cloud Linux Security Update for container-tools:rhel8 (ALINUX3-SA-2021:0013)
- 940571 AlmaLinux Security Update for container-tools:rhel8 (ALSA-2019:4269)
- 960726 Rocky Linux Security Update for container-tools:rhel8 (RLSA-2019:4269)
