Updated: 2025-09-19 04:19:53.523865
Description:
There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file. Binary-Affected: podman Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | NONE | 0.0 |
| CVSS Version 3.x | HIGH | 8.1 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | podman | 4.4.1 | 8.1 | HIGH | Released | CLSA-2025:1759505734 | 2025-10-03 21:13:14 | |
| TuxCare 9.6 ESU | podman | 5.4.0 | 8.1 | HIGH | Already Fixed | 2025-12-16 17:38:45 |