{"id":"GO-2024-2658","summary":"Container escape at build time in github.com/containers/buildah","details":"A crafted container file can use a dummy image with a symbolic link to the host filesystem as a mount source and cause the mount operation to mount the host filesystem during a build-time RUN step. The commands inside the RUN step will then have read-write access to the host filesystem.","aliases":["CVE-2024-1753","GHSA-874v-pj72-92f3","GHSA-pmf3-c36m-g5cf"],"modified":"2026-02-04T02:20:44.847459Z","published":"2024-03-22T16:47:09Z","related":["CGA-m7qx-2wj6-gx3g","GHSA-874v-pj72-92f3","RHSA-2024:2049","RHSA-2024:2055","RHSA-2024:2064","RHSA-2024:2066","RHSA-2024:2077","RHSA-2024:2084","RHSA-2024:2089","RHSA-2024:2090","RHSA-2024:2097","RHSA-2024:2098","RHSA-2024:2548","RHSA-2024:2645","RHSA-2024:2669","RHSA-2024:2672","RHSA-2024:2784","RHSA-2024:2877","RHSA-2024:3254"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2024-2658"},"references":[{"type":"FIX","url":"https://github.com/containers/buildah/commit/9de9c20ff368beb84b84fe660773d352519dc1c5"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2265513"}],"affected":[{"package":{"name":"github.com/containers/buildah","ecosystem":"Go","purl":"pkg:golang/github.com/containers/buildah"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.35.1"}]}],"ecosystem_specific":{"imports":[{"symbols":["GetBindMount","GetVolumes"],"path":"github.com/containers/buildah/internal/volumes"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2658.json"}}],"schema_version":"1.7.3","credits":[{"name":"@rmcnamara-snyk"}]}