A Time-of-check Time-of-use (TOCTOU) flaw was found in podman. This issue may allow a malicious user to replace a normal file in a volume with a symlink while exporting the volume, allowing for access to arbitrary files on the host file system.
Weakness
The product checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Podman | Podman_project | - (including) | - (including) |
| Red Hat Enterprise Linux 8 | RedHat | container-tools:rhel8-8080020230321153727.0f77c1b7 | * |
| Red Hat Enterprise Linux 8 | RedHat | container-tools:4.0-8080020230217080101.8108cfbc | * |
| Red Hat OpenShift Container Platform 4.13 | RedHat | podman-3:4.4.1-3.rhaos4.13.el9 | * |
| Libpod | Ubuntu | kinetic | * |
| Libpod | Ubuntu | lunar | * |
| Libpod | Ubuntu | mantic | * |
| Libpod | Ubuntu | oracular | * |
| Libpod | Ubuntu | trusty | * |
| Libpod | Ubuntu | xenial | * |