CVE-2019-18466

MEDIUM EPSS 70.9%
Published Oct 28, 20196y ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Oct 28, 2019 6y ago
Last Modified Jun 17, 2026 2w ago

Description

An issue was discovered in Podman in libpod before 1.6.0. It resolves a symlink in the host context during a copy operation from the container to the host, because an undesired glob operation occurs. An attacker could create a container image containing particular symlinks that, when copied by a victim user to the host filesystem, may overwrite existing files with others from the host.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
70.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-59

Affected Products 1

VendorProductVersionRange
libpod_projectlibpod* <1.6.0

References 6

  • lists.opensuse.org http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00040.html
  • access.redhat.com https://access.redhat.com/errata/RHSA-2019:4269
  • bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=1744588
    Issue TrackingThird Party Advisory
  • github.com https://github.com/containers/libpod/commit/5c09c4d2947a759724f9d5aef6bac04317e03f7e
    Patch
  • github.com https://github.com/containers/libpod/compare/v1.5.1...v1.6.0
    Patch
  • github.com https://github.com/containers/libpod/issues/3829
    ExploitThird Party Advisory

Remediation

  • github.com https://github.com/containers/libpod/commit/5c09c4d2947a759724f9d5aef6bac04317e03f7e
    Patch
  • github.com https://github.com/containers/libpod/compare/v1.5.1...v1.6.0
    Patch