{"api_version":"1","generated_at":"2026-04-23T09:23:23+00:00","cve":"CVE-2020-1726","urls":{"html":"https://cve.report/CVE-2020-1726","api":"https://cve.report/api/cve/CVE-2020-1726.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-1726","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-1726"},"summary":{"title":"CVE-2020-1726","description":"A flaw was discovered in Podman where it incorrectly allows containers when created to overwrite existing files in volumes, even if they are mounted as read-only. When a user runs a malicious container or a container based on a malicious image with an attached volume that is used for the first time, it is possible to trigger the flaw and overwrite files in the volume.This issue was introduced in version 1.6.0.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2020-02-11 20:15:00","updated_at":"2023-02-12 23:40:00"},"problem_types":["CWE-552"],"metrics":[],"references":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1726","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1726","refsource":"CONFIRM","tags":["Issue Tracking","Patch","Third Party Advisory"],"title":"1801152 – (CVE-2020-1726) CVE-2020-1726 podman: incorrectly allows existing files in volumes to be overwritten by a container when it is created","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00103.html","name":"openSUSE-SU-2020:1559","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2020:1559-1: moderate: Security update f","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/security/cve/CVE-2020-1726","name":"https://access.redhat.com/security/cve/CVE-2020-1726","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1801152","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1801152","refsource":"MISC","tags":[],"title":"1801152 – (CVE-2020-1726) CVE-2020-1726 podman: incorrectly allows existing files in volumes to be overwritten by a container when it is created","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2020:0680","name":"RHSA-2020:0680","refsource":"REDHAT","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00097.html","name":"openSUSE-SU-2020:1552","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2020:1552-1: moderate: Security update f","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2020:1650","name":"https://access.redhat.com/errata/RHSA-2020:1650","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-1726","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-1726","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"1726","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"libpod_project","cpe5":"libpod","cpe6":"1.6.0","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1726","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"libpod_project","cpe5":"libpod","cpe6":"1.6.0","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1726","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1726","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1726","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openshift_container_platform","cpe6":"4.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1726","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openshift_container_platform","cpe6":"4.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-1726","qid":"159667","title":"Oracle Enterprise Linux Security Update for container-tools:ol8 (ELSA-2020-1650)"},{"cve":"CVE-2020-1726","qid":"377377","title":"Alibaba Cloud Linux Security Update for container-tools:rhel8 (ALINUX3-SA-2021:0013)"},{"cve":"CVE-2020-1726","qid":"501895","title":"Alpine Linux Security Update for podman"},{"cve":"CVE-2020-1726","qid":"750618","title":"OpenSUSE Security Update for conmon, fuse-overlayfs, libcontainers-common, podman (openSUSE-SU-2020:1559-1)"},{"cve":"CVE-2020-1726","qid":"750623","title":"OpenSUSE Security Update for conmon, fuse-overlayfs, libcontainers-common, podman (openSUSE-SU-2020:1552-1)"},{"cve":"CVE-2020-1726","qid":"770014","title":"Red Hat OpenShift Container Platform 4.3.5 Security Update (RHSA-2020:0680)"},{"cve":"CVE-2020-1726","qid":"940531","title":"AlmaLinux Security Update for container-tools:rhel8 (ALSA-2020:1650)"},{"cve":"CVE-2020-1726","qid":"960829","title":"Rocky Linux Security Update for container-tools:rhel8 (RLSA-2020:1650)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2020-1726","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"A flaw was discovered in Podman where it incorrectly allows containers when created to overwrite existing files in volumes, even if they are mounted as read-only. When a user runs a malicious container or a container based on a malicious image with an attached volume that is used for the first time, it is possible to trigger the flaw and overwrite files in the volume.This issue was introduced in version 1.6.0."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-552","cweId":"CWE-552"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"The ","product":{"product_data":[{"product_name":"podman","version":{"version_data":[{"version_affected":"=","version_value":"from 1.6.0 onwards"}]}}]}}]}},"references":{"reference_data":[{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00097.html","refsource":"MISC","name":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00097.html"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00103.html","refsource":"MISC","name":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00103.html"},{"url":"https://access.redhat.com/errata/RHSA-2020:0680","refsource":"MISC","name":"https://access.redhat.com/errata/RHSA-2020:0680"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1726","refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1726"}]},"impact":{"cvss":[{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.9,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"}]}},"nvd":{"publishedDate":"2020-02-11 20:15:00","lastModifiedDate":"2023-02-12 23:40:00","problem_types":["CWE-552"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":5.9,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.2,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":5.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:libpod_project:libpod:1.6.0:-:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:openshift_container_platform:4.3:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"1726","Ordinal":"160964","Title":"CVE-2020-1726","CVE":"CVE-2020-1726","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"1726","Ordinal":"1","NoteData":"A flaw was discovered in Podman where it incorrectly allows containers when created to overwrite existing files in volumes, even if they are mounted as read-only. When a user runs a malicious container or a container based on a malicious image with an attached volume that is used for the first time, it is possible to trigger the flaw and overwrite files in the volume.This issue was introduced in version 1.6.0.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"1726","Ordinal":"2","NoteData":"2020-02-11","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"1726","Ordinal":"3","NoteData":"2020-09-28","Type":"Other","Title":"Modified"}]}}}