CVE-2019-18466
MEDIUM EPSS 70.9%
Published Oct 28, 20196y ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Published Oct 28, 2019 6y ago
Last Modified Jun 17, 2026 2w ago
Description
An issue was discovered in Podman in libpod before 1.6.0. It resolves a symlink in the host context during a copy operation from the container to the host, because an undesired glob operation occurs. An attacker could create a container image containing particular symlinks that, when copied by a victim user to the host filesystem, may overwrite existing files with others from the host.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity High
Availability None
Threat Intelligence
EPSS Exploit Probability
70.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-59
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| libpod_project | libpod | * | <1.6.0 |
References 6
- lists.opensuse.org http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00040.html
- access.redhat.com https://access.redhat.com/errata/RHSA-2019:4269
- bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=1744588
- github.com https://github.com/containers/libpod/commit/5c09c4d2947a759724f9d5aef6bac04317e03f7e
- github.com https://github.com/containers/libpod/compare/v1.5.1...v1.6.0
- github.com https://github.com/containers/libpod/issues/3829
Remediation
- github.com https://github.com/containers/libpod/commit/5c09c4d2947a759724f9d5aef6bac04317e03f7e
- github.com https://github.com/containers/libpod/compare/v1.5.1...v1.6.0