Bugzilla – Bug 1205673
VUL-1: CVE-2022-4123: buildah: Path disclosure
Last modified: 2025-01-23 15:20:59 UTC
rh#2144989 This flaw was found in Buildah via podman,. > Type: information disclosure of a local absolute path > > Severity: very low. (A local path is not that sensitive information). > Feel free to just disregard this report if you think this issue has > too low importance. > > Summary: Podman may disclose the absolute path of an empty context dir > when running "podman --remote build -t test1 -f /tmp/Dockerfile > emptydir". The path could be logged in the container image. (The > lowest subdirectory of the absolute path might not be disclosed, see > discussion below) > > The issue was introduced in > https://github.com/containers/podman/pull/13531 > that went into the Podman release v4.1.0-rc1 > References: https://bugzilla.redhat.com/show_bug.cgi?id=2144989 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4123
This page [1] mentions Buildah is affected, but not which version. This bug [2] mentions that it might be fixed in 1.32. Looking at the code [3], I can't conclude it is a proper fix for this CVE. If this commit [3] is indeed a fix, SLE 15 SP2 would be affected because Buildah is on a version before the fix was introduced (current in 1.25, fixed in 1.32). [1]: https://access.redhat.com/security/cve/CVE-2022-4123 [2]: https://bugs.gentoo.org/884859 [3]: https://github.com/containers/buildah/commit/cc619c28d93148f220c292bef9d8fe840fff7b1b Danish, can you take a look?
SP1 and SP2 are out of support and this CVE has a low score. We can close this.