github.com/containers/buildah is vulnerable to information disclosure. The vulnerability exists in configureUIDGID
function in run_common.go
due to improper handling of the supplementary groups in the Buildah container engine which allows an attacker to gain access to containers and perform unauthorized actions.
access.redhat.com/errata/RHSA-2022:7457
access.redhat.com/errata/RHSA-2022:7822
access.redhat.com/errata/RHSA-2022:8008
access.redhat.com/errata/RHSA-2022:8431
access.redhat.com/security/cve/CVE-2022-2990
bugzilla.redhat.com/show_bug.cgi?id=2121453
github.com/advisories/GHSA-fjm8-m7m6-2fjp
github.com/containers/buildah/commit/4a8bf740e862f2438279c6feee2ea59ddf0cda0b
github.com/containers/buildah/pull/4200
www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/