CVE-2024-9341

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-9341
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-9341.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-9341
Aliases
Related
Published
2024-10-01T19:15:09Z
Modified
2024-11-12T19:05:02.707355Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N CVSS Calculator
Summary
[none]
Details

A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.

References

Affected packages

Debian:11 / golang-github-containers-common

Package

Name
golang-github-containers-common
Purl
pkg:deb/debian/golang-github-containers-common?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.33.4+ds1-1
0.33.4+ds1-1+deb11u1
0.33.4+ds1-1+deb11u2
0.34.2+ds1-1
0.35.4+ds1-1
0.36.0+ds1-1
0.38.5+ds2-1
0.38.9+ds1-1
0.38.12+ds1-1
0.38.12+ds1-2
0.38.16+ds1-1
0.42.1+ds1-1
0.42.1+ds1-2
0.44.0+ds1-1
0.44.3+ds1-1
0.44.3+ds1-2
0.44.4+ds1-1
0.44.5+ds1-1
0.46.0+ds1-1
0.47.2+ds1-1
0.48.0+ds1-1
0.48.0+ds1-2
0.49.1+ds1-1
0.50.1+ds1-1
0.50.1+ds1-2
0.50.1+ds1-3
0.50.1+ds1-4
0.51.0+ds1-1
0.52.0+ds1-1
0.52.0+ds1-2
0.55.4+ds1-1
0.55.4+ds1-2
0.55.4+ds1-3
0.56.0+ds1-1
0.56.0+ds1-2
0.56.0+ds1-3
0.56.0+ds1-4
0.57.0+ds1-1
0.57.0+ds1-2
0.57.2+ds1-1
0.57.2+ds1-2
0.57.4+ds1-1
0.57.4+ds1-2
0.57.4+ds1-3
0.57.4+ds1-4
0.58.0+ds1-1
0.58.2+ds1-2
0.58.2+ds1-3
0.60.0+ds1-1
0.60.1+ds1-1
0.60.1+ds1-3
0.60.2+ds1-1
0.60.2+ds1-2
0.60.3+ds1-3
0.60.4+ds1-1
0.61.0+ds1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / golang-github-containers-common

Package

Name
golang-github-containers-common
Purl
pkg:deb/debian/golang-github-containers-common?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.50.1+ds1-4
0.51.0+ds1-1
0.52.0+ds1-1
0.52.0+ds1-2
0.55.4+ds1-1
0.55.4+ds1-2
0.55.4+ds1-3
0.56.0+ds1-1
0.56.0+ds1-2
0.56.0+ds1-3
0.56.0+ds1-4
0.57.0+ds1-1
0.57.0+ds1-2
0.57.2+ds1-1
0.57.2+ds1-2
0.57.4+ds1-1
0.57.4+ds1-2
0.57.4+ds1-3
0.57.4+ds1-4
0.58.0+ds1-1
0.58.2+ds1-2
0.58.2+ds1-3
0.60.0+ds1-1
0.60.1+ds1-1
0.60.1+ds1-3
0.60.2+ds1-1
0.60.2+ds1-2
0.60.3+ds1-3
0.60.4+ds1-1
0.61.0+ds1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / golang-github-containers-common

Package

Name
golang-github-containers-common
Purl
pkg:deb/debian/golang-github-containers-common?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.60.4+ds1-1

Affected versions

0.*

0.50.1+ds1-4
0.51.0+ds1-1
0.52.0+ds1-1
0.52.0+ds1-2
0.55.4+ds1-1
0.55.4+ds1-2
0.55.4+ds1-3
0.56.0+ds1-1
0.56.0+ds1-2
0.56.0+ds1-3
0.56.0+ds1-4
0.57.0+ds1-1
0.57.0+ds1-2
0.57.2+ds1-1
0.57.2+ds1-2
0.57.4+ds1-1
0.57.4+ds1-2
0.57.4+ds1-3
0.57.4+ds1-4
0.58.0+ds1-1
0.58.2+ds1-2
0.58.2+ds1-3
0.60.0+ds1-1
0.60.1+ds1-1
0.60.1+ds1-3
0.60.2+ds1-1
0.60.2+ds1-2
0.60.3+ds1-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}