OpenCVE

A flaw was found in Buildah. The local path and the lowest subdirectory may be disclosed due to incorrect absolute path traversal, resulting in an impact to confidentiality.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fedoraproject	Fedora
Podman Project	Podman

Configuration 1 [-]

OR	cpe:2.3:a:podman_project:podman:4.1.0:-::::::
	cpe:2.3:a:podman_project:podman:4.1.0:rc1::::::
	cpe:2.3:a:podman_project:podman:4.1.0:rc2::::::
	cpe:2.3:a:podman_project:podman:4.1.1:::::::*
	cpe:2.3:a:podman_project:podman:4.2.0:-::::::
	cpe:2.3:a:podman_project:podman:4.2.0:rc1::::::
	cpe:2.3:a:podman_project:podman:4.2.0:rc2::::::
	cpe:2.3:a:podman_project:podman:4.2.0:rc3::::::
	cpe:2.3:a:podman_project:podman:4.2.1:::::::*
	cpe:2.3:a:podman_project:podman:4.3.0:-::::::

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:35:::::::*
	cpe:2.3:o:fedoraproject:fedora:36:::::::*
	cpe:2.3:o:fedoraproject:fedora:37:::::::*

No data.

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=2144989
https://nvd.nist.gov/vuln/detail/CVE-2022-4123
https://www.cve.org/CVERecord?id=CVE-2022-4123

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2022-12-08T00:00:00

Updated: 2024-08-03T01:27:54.544Z

Reserved: 2022-11-22T00:00:00

Link: CVE-2022-4123

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-12-08T16:15:14.937

Modified: 2023-06-27T14:59:05.893

Link: CVE-2022-4123

Redhat

Severity : Low

Publid Date: 2022-11-22T00:00:00Z

Links: CVE-2022-4123 - Bugzilla

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:podman_project:podman:4.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "F38CCFD3-5936-40E2-9617-B5D6B5CD20BE", "vulnerable": true}, {"criteria": "cpe:2.3:a:podman_project:podman:4.1.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "4A21578B-CEC4-48D3-837D-12C1C5825BA2", "vulnerable": true}, {"criteria": "cpe:2.3:a:podman_project:podman:4.1.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "7247B6A6-26D1-4224-A8C3-BC73000239ED", "vulnerable": true}, {"criteria": "cpe:2.3:a:podman_project:podman:4.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "3190698C-48D2-4952-B193-ADA672C1CA3B", "vulnerable": true}, {"criteria": "cpe:2.3:a:podman_project:podman:4.2.0:-:*:*:*:*:*:*", "matchCriteriaId": "C98DAA3D-0006-445D-80DA-0BBBB7B213A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:podman_project:podman:4.2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "731A3F26-24C8-4B28-9DB6-296118A5EF33", "vulnerable": true}, {"criteria": "cpe:2.3:a:podman_project:podman:4.2.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "48148000-C165-4B94-9E58-F9B8B428068B", "vulnerable": true}, {"criteria": "cpe:2.3:a:podman_project:podman:4.2.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "ACA5BD4D-2571-4CF3-ABF3-93332B037721", "vulnerable": true}, {"criteria": "cpe:2.3:a:podman_project:podman:4.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "768879D7-F8AA-401F-B3AC-0B8E791F190D", "vulnerable": true}, {"criteria": "cpe:2.3:a:podman_project:podman:4.3.0:-:*:*:*:*:*:*", "matchCriteriaId": "A2900852-3170-4AF7-828E-6445C78AC802", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Buildah. The local path and the lowest subdirectory may be disclosed due to incorrect absolute path traversal, resulting in an impact to confidentiality."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en Buildah. La ruta local y el subdirectorio m\u00e1s bajo pueden revelarse debido a path traversal absoluto incorrecto, lo que afecta la confidencialidad."}], "id": "CVE-2022-4123", "lastModified": "2023-06-27T14:59:05.893", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-08T16:15:14.937", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144989"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-23"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"bugzilla": {"description": "podman: Path disclosure", "id": "2144989", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144989"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.1", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-23", "details": ["A flaw was found in Buildah. The local path and the lowest subdirectory may be disclosed due to incorrect absolute path traversal, resulting in an impact to confidentiality.", "A flaw was found in Buildah. The local path and the lowest subdirectory may be disclosed due to incorrect absolute path traversal, resulting in an impact to confidentiality."], "name": "CVE-2022-4123", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "podman", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:3.0/podman", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "container-tools:4.0/podman", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "container-tools:rhel8/podman", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "podman", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Under investigation", "package_name": "podman", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "buildah", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Under investigation", "package_name": "podman", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2022-11-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-4123\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-4123"], "statement": "These bugs come about when \"podman --remote build -t test1 -f /tmp/Dockerfile> emptydir\" is run, thus affecting buildah, but the bug itself needs to be fixed in podman, and ported to Buildah.", "threat_severity": "Low"}