Bug 1205673 - (CVE-2022-4123) VUL-1: CVE-2022-4123: buildah: Path disclosure
(CVE-2022-4123)
VUL-1: CVE-2022-4123: buildah: Path disclosure
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Containers Team
Security Team bot
https://smash.suse.de/issue/348702/
CVSSv3.1:SUSE:CVE-2022-4123:3.1:(AV:A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-11-23 08:41 UTC by Robert Frohl
Modified: 2023-01-19 12:00 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2022-11-23 08:41:59 UTC
rh#2144989

This flaw was found in Buildah via podman,.
> Type: information disclosure of a local absolute path
>
> Severity: very low. (A local path is not that sensitive information).
> Feel free to just disregard this report if you think this issue has
> too low importance.
>
> Summary: Podman may disclose the absolute path of an empty context dir
> when running "podman --remote build -t test1 -f /tmp/Dockerfile
> emptydir". The path could be logged in the container image. (The
> lowest subdirectory of the absolute path might not be disclosed, see
> discussion below)
>
> The issue was introduced in
> https://github.com/containers/podman/pull/13531
> that went into the Podman release v4.1.0-rc1
>

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2144989
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4123