A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Common | Containers | * | * |
| Red Hat Enterprise Linux 8 | RedHat | container-tools:rhel8-8100020241023085649.afee755d | * |
| Red Hat Enterprise Linux 9 | RedHat | podman-4:4.9.4-13.el9_4 | * |
| Red Hat Enterprise Linux 9 | RedHat | buildah-2:1.33.9-1.el9_4 | * |
| Red Hat Enterprise Linux 9 | RedHat | podman-4:5.2.2-9.el9_5 | * |
| Red Hat Enterprise Linux 9 | RedHat | buildah-2:1.37.5-1.el9_5 | * |
| Red Hat OpenShift Container Platform 4.12 | RedHat | cri-o-0:1.25.5-30.rhaos4.12.git53dc492.el8 | * |
| Red Hat OpenShift Container Platform 4.13 | RedHat | cri-o-0:1.26.5-26.rhaos4.13.giteb3d487.el9 | * |
| Red Hat OpenShift Container Platform 4.14 | RedHat | cri-o-0:1.27.8-10.rhaos4.14.git807f92c.el9 | * |
| Red Hat OpenShift Container Platform 4.15 | RedHat | cri-o-0:1.28.11-5.rhaos4.15.git35a2431.el9 | * |
| Red Hat OpenShift Container Platform 4.16 | RedHat | cri-o-0:1.29.9-5.rhaos4.16.git34690b9.el9 | * |
| Red Hat OpenShift Container Platform 4.17 | RedHat | cri-o-0:1.30.6-3.rhaos4.17.git49b5172.el9 | * |