{"id":"CVE-2024-9675","details":"A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.","aliases":["GHSA-586p-749j-fhwp","GO-2024-3186"],"modified":"2026-03-23T05:12:36.011191664Z","published":"2024-10-09T15:15:17.837Z","related":["ALSA-2024:8563","ALSA-2024:8846","ALSA-2024:9051","ALSA-2024:9454","ALSA-2024:9459","CGA-v934-vq76-4q5f","RLSA-2024:8846","SUSE-SU-2024:3728-1","SUSE-SU-2024:3741-1","SUSE-SU-2024:3911-1","SUSE-SU-2024:3988-1","SUSE-SU-2024:4303-1","SUSE-SU-2025:0267-1","SUSE-SU-2025:0775-1","SUSE-SU-2025:20080-1","openSUSE-SU-2024:0350-1","openSUSE-SU-2024:14405-1","openSUSE-SU-2024:14409-1","openSUSE-SU-2024:14447-1"],"references":[{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:9459"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8675"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8679"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8690"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8707"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:2701"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:3301"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:3573"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2024-9675"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8563"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8709"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8984"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8994"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:9454"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:2445"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:2454"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8686"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8703"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8846"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:2449"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:2710"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8700"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:8708"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:9051"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2317458"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"4.13"}]},{"events":[{"introduced":"0"},{"last_affected":"4.14"}]},{"events":[{"introduced":"0"},{"last_affected":"4.15"}]},{"events":[{"introduced":"0"},{"last_affected":"4.16"}]},{"events":[{"introduced":"0"},{"last_affected":"4.17"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2"}]},{"events":[{"introduced":"0"},{"last_affected":"9.4"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0_aarch64"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0_aarch64"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8_aarch64"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0_aarch64"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2_aarch64"}]},{"events":[{"introduced":"0"},{"last_affected":"9.4_aarch64"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0_s390x"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0_s390x"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8_s390x"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0_s390x"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2_s390x"}]},{"events":[{"introduced":"0"},{"last_affected":"9.4_s390x"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"9.4_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2"}]},{"events":[{"introduced":"0"},{"last_affected":"9.4"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"9.4_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2"}]},{"events":[{"introduced":"0"},{"last_affected":"9.4"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-9675.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}]}