{"id":"UBUNTU-CVE-2024-9341","details":"A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.","modified":"2026-05-20T16:20:17.247680020Z","published":"2024-10-01T19:15:00Z","upstream":["CVE-2024-9341"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-9341"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2024-9341"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2315691"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2024-9341"},{"type":"REPORT","url":"https://github.com/containers/common/blob/384f77532f67afc8a73d8e0c4adb0d195df57714/pkg/subscriptions/subscriptions.go#L169"},{"type":"REPORT","url":"https://github.com/containers/common/blob/384f77532f67afc8a73d8e0c4adb0d195df57714/pkg/subscriptions/subscriptions.go#L349"}],"affected":[{"package":{"name":"golang-github-containers-common","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/golang-github-containers-common?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.38.16+ds1-1ubuntu1","0.44.3+ds1-2ubuntu1","0.44.4+ds1-1"],"ecosystem_specific":{"binaries":[{"binary_version":"0.44.4+ds1-1","binary_name":"golang-github-containers-common"},{"binary_version":"0.44.4+ds1-1","binary_name":"golang-github-containers-common-dev"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-9341.json"}},{"package":{"name":"golang-github-containers-common","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/golang-github-containers-common?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.50.1+ds1-4","0.56.0+ds1-4","0.57.0+ds1-2","0.57.2+ds1-2","0.57.4+ds1-2","0.57.4+ds1-2ubuntu0.1","0.57.4+ds1-2ubuntu0.2"],"ecosystem_specific":{"binaries":[{"binary_version":"0.57.4+ds1-2ubuntu0.2","binary_name":"golang-github-containers-common"},{"binary_version":"0.57.4+ds1-2ubuntu0.2","binary_name":"golang-github-containers-common-dev"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-9341.json"}},{"package":{"name":"golang-github-containers-common","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/golang-github-containers-common?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.62.2+ds1-2"],"ecosystem_specific":{"binaries":[{"binary_version":"0.62.2+ds1-2","binary_name":"golang-github-containers-common"},{"binary_version":"0.62.2+ds1-2","binary_name":"golang-github-containers-common-dev"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-9341.json"}},{"package":{"name":"golang-github-containers-common","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/golang-github-containers-common?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.62.2+ds1-2","0.66.0+ds2-3"],"ecosystem_specific":{"binaries":[{"binary_version":"0.66.0+ds2-3","binary_name":"golang-github-containers-common"},{"binary_version":"0.66.0+ds2-3","binary_name":"golang-github-containers-common-dev"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-9341.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"type":"Ubuntu","score":"medium"}]}