Incorrect Default Permissions Affecting podman package, versions <2:4.0.2-24.module+el8.9.0+19784+443be299
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CENTOS8-PODMAN-6059033
- published 15 Nov 2023
- disclosed 29 Mar 2023
Introduced: 29 Mar 2023
CVE-2023-25809 Open this link in a new tabHow to fix?
Upgrade Centos:8
podman
to version 2:4.0.2-24.module+el8.9.0+19784+443be299 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream podman
package and not the podman
package as distributed by Centos
.
See How to fix?
for Centos:8
relevant fixed versions and status.
runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes /sys/fs/cgroup
writable in following conditons: 1. when runc is executed inside the user namespace, and the config.json
does not specify the cgroup namespace to be unshared (e.g.., (docker|podman|nerdctl) run --cgroupns=host
, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and /sys
is mounted with rbind, ro
(e.g., runc spec --rootless
; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy /sys/fs/cgroup/user.slice/...
on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace ((docker|podman|nerdctl) run --cgroupns=private)
. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add /sys/fs/cgroup
to maskedPaths
.