openEuler 24.03 LTS SP1 update for podman
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 13 |
| CVE-ID | CVE-2019-9514 CVE-2022-1962 CVE-2022-2880 CVE-2022-32189 CVE-2022-41715 CVE-2024-24791 CVE-2024-37298 CVE-2024-6104 CVE-2024-9341 CVE-2024-9355 CVE-2024-9407 CVE-2024-9675 CVE-2024-9676 |
| CWE-ID | CWE-400 CWE-20 CWE-532 CWE-457 CWE-22 CWE-61 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
openEuler Operating systems & Components / Operating system podman-help Operating systems & Components / Operating system package or component podman-docker Operating systems & Components / Operating system package or component podmansh Operating systems & Components / Operating system package or component podman-tests Operating systems & Components / Operating system package or component podman-remote Operating systems & Components / Operating system package or component podman-plugins Operating systems & Components / Operating system package or component podman-gvproxy Operating systems & Components / Operating system package or component podman-debugsource Operating systems & Components / Operating system package or component podman-debuginfo Operating systems & Components / Operating system package or component podman Operating systems & Components / Operating system package or component |
| Vendor | openEuler |
Security Bulletin
This security bulletin contains information about 13 vulnerabilities.
1) Resource exhaustion
EUVDB-ID: #VU20201
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-9514
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of user-supplied input when processing HTTP/2 requests. A remote attacker can send specially crafted HTTP packets to the affected system trigger resource exhaustion and perform a denial of service (DoS) attack.
Mitigation
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 24.03 LTS SP1
podman-help: before 4.9.4-13
podman-docker: before 4.9.4-13
podmansh: before 4.9.4-13
podman-tests: before 4.9.4-13
podman-remote: before 4.9.4-13
podman-plugins: before 4.9.4-13
podman-gvproxy: before 4.9.4-13
podman-debugsource: before 4.9.4-13
podman-debuginfo: before 4.9.4-13
podman: before 4.9.4-13
CPE2.3- cpe:2.3:o:openeuler:openeuler:24.03:LTS SP1:*:*:*:*:*:*
- cpe:2.3:o:openeuler:podman-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-docker:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podmansh:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-tests:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-remote:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-plugins:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-gvproxy:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1055
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Resource exhaustion
EUVDB-ID: #VU66065
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-1962
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in go/parser. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 24.03 LTS SP1
podman-help: before 4.9.4-13
podman-docker: before 4.9.4-13
podmansh: before 4.9.4-13
podman-tests: before 4.9.4-13
podman-remote: before 4.9.4-13
podman-plugins: before 4.9.4-13
podman-gvproxy: before 4.9.4-13
podman-debugsource: before 4.9.4-13
podman-debuginfo: before 4.9.4-13
podman: before 4.9.4-13
CPE2.3- cpe:2.3:o:openeuler:openeuler:24.03:LTS SP1:*:*:*:*:*:*
- cpe:2.3:o:openeuler:podman-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-docker:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podmansh:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-tests:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-remote:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-plugins:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-gvproxy:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1055
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU68389
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-2880
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform parameter smuggling attacks.
The vulnerability exists due to incorrect handling of requests forwarded by ReverseProxy in net/http/httputil. A remote attacker can supply specially crafted parameters that cannot be parsed and are rejected by net/http and force the application to include these parameters into the forwarding request. As a result, a remote attacker can smuggle potentially dangerous HTTP parameters into the request.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 24.03 LTS SP1
podman-help: before 4.9.4-13
podman-docker: before 4.9.4-13
podmansh: before 4.9.4-13
podman-tests: before 4.9.4-13
podman-remote: before 4.9.4-13
podman-plugins: before 4.9.4-13
podman-gvproxy: before 4.9.4-13
podman-debugsource: before 4.9.4-13
podman-debuginfo: before 4.9.4-13
podman: before 4.9.4-13
CPE2.3- cpe:2.3:o:openeuler:openeuler:24.03:LTS SP1:*:*:*:*:*:*
- cpe:2.3:o:openeuler:podman-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-docker:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podmansh:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-tests:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-remote:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-plugins:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-gvproxy:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1055
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU66121
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-32189
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in
Float.GobDecode. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 24.03 LTS SP1
podman-help: before 4.9.4-13
podman-docker: before 4.9.4-13
podmansh: before 4.9.4-13
podman-tests: before 4.9.4-13
podman-remote: before 4.9.4-13
podman-plugins: before 4.9.4-13
podman-gvproxy: before 4.9.4-13
podman-debugsource: before 4.9.4-13
podman-debuginfo: before 4.9.4-13
podman: before 4.9.4-13
CPE2.3- cpe:2.3:o:openeuler:openeuler:24.03:LTS SP1:*:*:*:*:*:*
- cpe:2.3:o:openeuler:podman-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-docker:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podmansh:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-tests:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-remote:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-plugins:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-gvproxy:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1055
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Resource exhaustion
EUVDB-ID: #VU68390
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-41715
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in regexp/syntax when handling regular expressions. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 24.03 LTS SP1
podman-help: before 4.9.4-13
podman-docker: before 4.9.4-13
podmansh: before 4.9.4-13
podman-tests: before 4.9.4-13
podman-remote: before 4.9.4-13
podman-plugins: before 4.9.4-13
podman-gvproxy: before 4.9.4-13
podman-debugsource: before 4.9.4-13
podman-debuginfo: before 4.9.4-13
podman: before 4.9.4-13
CPE2.3- cpe:2.3:o:openeuler:openeuler:24.03:LTS SP1:*:*:*:*:*:*
- cpe:2.3:o:openeuler:podman-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-docker:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podmansh:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-tests:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-remote:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-plugins:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-gvproxy:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1055
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Resource exhaustion
EUVDB-ID: #VU93850
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-24791
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper handling of "Expect: 100-continue" HTTP requests. A remote attacker can send multiple such requests and consume all available resources.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 24.03 LTS SP1
podman-help: before 4.9.4-13
podman-docker: before 4.9.4-13
podmansh: before 4.9.4-13
podman-tests: before 4.9.4-13
podman-remote: before 4.9.4-13
podman-plugins: before 4.9.4-13
podman-gvproxy: before 4.9.4-13
podman-debugsource: before 4.9.4-13
podman-debuginfo: before 4.9.4-13
podman: before 4.9.4-13
CPE2.3- cpe:2.3:o:openeuler:openeuler:24.03:LTS SP1:*:*:*:*:*:*
- cpe:2.3:o:openeuler:podman-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-docker:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podmansh:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-tests:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-remote:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-plugins:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-gvproxy:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1055
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Resource exhaustion
EUVDB-ID: #VU94743
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-37298
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in schema.Decoder.Decode() . A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 24.03 LTS SP1
podman-help: before 4.9.4-13
podman-docker: before 4.9.4-13
podmansh: before 4.9.4-13
podman-tests: before 4.9.4-13
podman-remote: before 4.9.4-13
podman-plugins: before 4.9.4-13
podman-gvproxy: before 4.9.4-13
podman-debugsource: before 4.9.4-13
podman-debuginfo: before 4.9.4-13
podman: before 4.9.4-13
CPE2.3- cpe:2.3:o:openeuler:openeuler:24.03:LTS SP1:*:*:*:*:*:*
- cpe:2.3:o:openeuler:podman-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-docker:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podmansh:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-tests:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-remote:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-plugins:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-gvproxy:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1055
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Inclusion of Sensitive Information in Log Files
EUVDB-ID: #VU94616
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-6104
CWE-ID:
CWE-532 - Information Exposure Through Log Files
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to software stores sensitive information into log files. A local user can read the log files and gain access to sensitive data obtain from HTTP requests.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 24.03 LTS SP1
podman-help: before 4.9.4-13
podman-docker: before 4.9.4-13
podmansh: before 4.9.4-13
podman-tests: before 4.9.4-13
podman-remote: before 4.9.4-13
podman-plugins: before 4.9.4-13
podman-gvproxy: before 4.9.4-13
podman-debugsource: before 4.9.4-13
podman-debuginfo: before 4.9.4-13
podman: before 4.9.4-13
CPE2.3- cpe:2.3:o:openeuler:openeuler:24.03:LTS SP1:*:*:*:*:*:*
- cpe:2.3:o:openeuler:podman-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-docker:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podmansh:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-tests:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-remote:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-plugins:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-gvproxy:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1055
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Input validation error
EUVDB-ID: #VU98141
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-9341
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 24.03 LTS SP1
podman-help: before 4.9.4-13
podman-docker: before 4.9.4-13
podmansh: before 4.9.4-13
podman-tests: before 4.9.4-13
podman-remote: before 4.9.4-13
podman-plugins: before 4.9.4-13
podman-gvproxy: before 4.9.4-13
podman-debugsource: before 4.9.4-13
podman-debuginfo: before 4.9.4-13
podman: before 4.9.4-13
CPE2.3- cpe:2.3:o:openeuler:openeuler:24.03:LTS SP1:*:*:*:*:*:*
- cpe:2.3:o:openeuler:podman-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-docker:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podmansh:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-tests:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-remote:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-plugins:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-gvproxy:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1055
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Use of Uninitialized Variable
EUVDB-ID: #VU98022
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-9355
CWE-ID:
CWE-457 - Use of Uninitialized Variable
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to weaken TLS encryption.
The vulnerability exists due to an uninitialized buffer length variable in the CGO bindings that intermittently return a zeroed buffer from (*boringHMAC).Sum() in FIPS mode. A remote attacker can randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode and weaken TLS security.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 24.03 LTS SP1
podman-help: before 4.9.4-13
podman-docker: before 4.9.4-13
podmansh: before 4.9.4-13
podman-tests: before 4.9.4-13
podman-remote: before 4.9.4-13
podman-plugins: before 4.9.4-13
podman-gvproxy: before 4.9.4-13
podman-debugsource: before 4.9.4-13
podman-debuginfo: before 4.9.4-13
podman: before 4.9.4-13
CPE2.3- cpe:2.3:o:openeuler:openeuler:24.03:LTS SP1:*:*:*:*:*:*
- cpe:2.3:o:openeuler:podman-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-docker:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podmansh:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-tests:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-remote:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-plugins:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-gvproxy:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1055
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Input validation error
EUVDB-ID: #VU98140
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-9407
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to sensitive information.
A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files.
Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 24.03 LTS SP1
podman-help: before 4.9.4-13
podman-docker: before 4.9.4-13
podmansh: before 4.9.4-13
podman-tests: before 4.9.4-13
podman-remote: before 4.9.4-13
podman-plugins: before 4.9.4-13
podman-gvproxy: before 4.9.4-13
podman-debugsource: before 4.9.4-13
podman-debuginfo: before 4.9.4-13
podman: before 4.9.4-13
CPE2.3- cpe:2.3:o:openeuler:openeuler:24.03:LTS SP1:*:*:*:*:*:*
- cpe:2.3:o:openeuler:podman-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-docker:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podmansh:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-tests:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-remote:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-plugins:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-gvproxy:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1055
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Path traversal
EUVDB-ID: #VU98828
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-9675
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to input validation error when processing directory traversal sequences in cache mounts. A local user can execute a 'RUN' instruction in a Container file to mount an arbitrary directory from the host into the container as long as those files can be accessed by the user running Buildah.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 24.03 LTS SP1
podman-help: before 4.9.4-13
podman-docker: before 4.9.4-13
podmansh: before 4.9.4-13
podman-tests: before 4.9.4-13
podman-remote: before 4.9.4-13
podman-plugins: before 4.9.4-13
podman-gvproxy: before 4.9.4-13
podman-debugsource: before 4.9.4-13
podman-debuginfo: before 4.9.4-13
podman: before 4.9.4-13
CPE2.3- cpe:2.3:o:openeuler:openeuler:24.03:LTS SP1:*:*:*:*:*:*
- cpe:2.3:o:openeuler:podman-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-docker:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podmansh:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-tests:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-remote:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-plugins:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-gvproxy:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1055
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) UNIX symbolic link following
EUVDB-ID: #VU98817
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-9676
CWE-ID:
CWE-61 - UNIX Symbolic Link (Symlink) Following
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a symlink following issue when running a malicious image using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). A local user can create a symbolic link to an arbitrary file on the system, force the library to read it and perform a denial of service (DoS) attack.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 24.03 LTS SP1
podman-help: before 4.9.4-13
podman-docker: before 4.9.4-13
podmansh: before 4.9.4-13
podman-tests: before 4.9.4-13
podman-remote: before 4.9.4-13
podman-plugins: before 4.9.4-13
podman-gvproxy: before 4.9.4-13
podman-debugsource: before 4.9.4-13
podman-debuginfo: before 4.9.4-13
podman: before 4.9.4-13
CPE2.3- cpe:2.3:o:openeuler:openeuler:24.03:LTS SP1:*:*:*:*:*:*
- cpe:2.3:o:openeuler:podman-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-docker:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podmansh:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-tests:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-remote:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-plugins:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-gvproxy:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:podman:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1055
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
