Permissions, Privileges, and Access Controls in Podman - CVE-2020-1726
Published: March 11, 2020
Vulnerability identifier: #VU25983
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-1726
CWE-ID: CWE-264
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Container Projects
Affected software:
Podman
Podman
Detailed vulnerability description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists in Podman where it incorrectly allows containers when created to overwrite existing files in volumes, even if they are mounted as read-only. When a user runs a malicious container or a container based on a malicious image with an attached volume that is used for the first time, it is possible to trigger the flaw and overwrite files in the volume.T
How to mitigate CVE-2020-1726
Install updates from vendor's website.