Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

Untriaged
Filter by:
With package: podman-tui

Found 5 matching suggestions

View:
Compact
Detailed
Permalink CVE-2025-9566
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 2 months, 3 weeks ago
Podman: podman kube play command may overwrite host files

There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file. Binary-Affected: podman Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1

References

Affected products

pytz
  • *
babel
  • *
cri-o
  • *
rhcos
  • *
future
  • *
kernel
  • *
podman
  • *
  • <5.6.1
poetry
  • *
pysnmp
  • *
pytest
  • *
subunit
  • *
toolbox
  • *
pyflakes
  • *
wasmedge
  • *
cri-tools
  • *
kernel-rt
  • *
openshift
  • *
pyOpenSSL
  • *
pyparsing
  • *
python-py
  • *
python-ddt
  • *
python-dns
  • *
python-m2r
  • *
python-pbr
  • *
python-smi
  • *
python-tox
  • *
python-amqp
  • *
python-case
  • *
python-cleo
  • *
python-cmd2
  • *
python-flit
  • *
python-idna
  • *
python-lark
  • *
python-mako
  • *
python-mock
  • *
python-nose
  • *
python-pint
  • *
python-sure
  • *
python-toml
  • *
python-tooz
  • *
python-vine
  • *
python-zake
  • *
python-zipp
  • *
pysnmpcrypto
  • *
python-attrs
  • *
python-build
  • *
python-cachy
  • *
python-click
  • *
python-cliff
  • *
python-flask
  • *
python-gabbi
  • *
python-kafka
  • *
python-kazoo
  • *
python-kombu
  • *
python-munch
  • *
python-paste
  • *
python-pecan
  • *
python-redis
  • *
python-sushy
  • *
python-tomli
  • *
python-webob
  • *
python-wrapt
  • *
python-yappi
  • *
python-apipkg
  • *
python-bcrypt
  • *
python-editor
  • *
python-extras
  • *
python-flake8
  • *
python-gevent
  • *
python-ifaddr
  • *
python-jinja2
  • *
python-libcst
  • *
python-mccabe
  • *
python-pep517
  • *
python-pluggy
  • *
python-psutil
  • *
python-pyasn1
  • *
python-pycadf
  • *
python-pycurl
  • *
python-pyghmi
  • *
python-pyudev
  • *
python-routes
  • *
python-sphinx
  • *
python-statsd
  • *
python-stestr
  • *
python-alembic
  • *
python-appdirs
  • *
python-betamax
  • *
python-certifi
  • *
python-chardet
  • *
python-cheroot
  • *
python-distlib
  • *
python-dulwich
  • *
python-execnet
  • *
python-hacking
  • *
python-inotify
  • *
python-iso8601
  • *
python-jeepney
  • *
python-keyring
  • *
python-migrate
  • *
python-mistune
  • *
python-msgpack
  • *
python-netaddr
  • *
python-osc-lib
  • *
python-oslo-db
  • *
python-pexpect
  • *
python-pkginfo
  • *
python-portend
  • *
python-pretend
  • *
python-pycdlib
  • *
python-rfc3986
  • *
python-tempita
  • *
python-tempora
  • *
python-tomli-w
  • *
python-tornado
  • *
python-trustme
  • *
python-warlock
  • *
python-wcwidth
  • *
python-webtest
  • *
python3.12-six
  • *
dbus-python3.12
  • *
kata-containers
  • *
pysnmp-lextudio
  • *
python-autopage
  • *
python-colorama
  • *
python-coverage
  • *
python-docutils
  • *
python-eventlet
  • *
python-filelock
  • *
python-fixtures
  • *
python-funcsigs
  • *
python-futurist
  • *
python-greenlet
  • *
python-gunicorn
  • *
python-html5lib
  • *
python-httplib2
  • *
python-iniparse
  • *
python-jmespath
  • *
python-kerberos
  • *
python-logutils
  • *
python-oauthlib
  • *
python-oslo-log
  • *
python-oslotest
  • *
python-pathspec
  • *
python-pygments
  • *
python-requests
  • *
python-retrying
  • *
python-sqlparse
  • *
python-tenacity
  • *
python-testpath
  • *
python-waitress
  • *
python-werkzeug
  • *
python-zeroconf
  • *
python3.12-mypy
  • *
openstack-macros
  • *
python-automaton
  • *
python-construct
  • *
python-crashtest
  • *
python-decorator
  • *
python-editables
  • *
python-fasteners
  • *
python-freezegun
  • *
python-hatch-vcs
  • *
python-hatchling
  • *
python-httpretty
  • *
python-imagesize
  • *
python-jsonpatch
  • *
python-memcached
  • *
python-mimeparse
  • *
python-monotonic
  • *
python-os-traits
  • *
python-oslo-i18n
  • *
python-packaging
  • *
python-pyperclip
  • *
python-soupsieve
  • *
python-stevedore
  • *
python-testtools
  • *
python-typeguard
  • *
python-uhashring
  • *
python-xmlschema
  • *
container-selinux
  • *
openshift-ansible
  • *
openshift-clients
  • *
python-cachetools
  • *
python-defusedxml
  • *
python-dracclient
  • *
python-hypothesis
  • *
python-jsonschema
  • *
python-kiwisolver
  • *
python-linecache2
  • *
python-markupsafe
  • *
python-oslo-cache
  • *
python-oslo-utils
  • *
python-osprofiler
  • *
python-ptyprocess
  • *
python-pyasyncore
  • *
python-pymemcache
  • *
python-pyrsistent
  • *
python-pytest-cov
  • *
python-repoze-lru
  • *
python-rst-linker
  • *
python-simplejson
  • *
python-sqlalchemy
  • *
python-traceback2
  • *
python-virtualenv
  • *
python-voluptuous
  • *
python-websockify
  • *
python-zombie-imp
  • *
python-zope-event
  • *
python3.12-pyyaml
  • *
openshift4-aws-iso
  • *
python-contextlib2
  • *
python-elementpath
  • *
python-jaraco-text
  • *
python-jsonpath-rw
  • *
python-jsonpointer
  • *
python-oslo-config
  • *
python-oslo-policy
  • *
python-poetry-core
  • *
python-prettytable
  • *
python-pycodestyle
  • *
python-pytest-mock
  • *
python-shellingham
  • *
devspaces/udi-rhel9
  • *
python-atomicwrites
  • *
python-cinderclient
  • *
python-glanceclient
  • *
python-hypothesmith
  • *
python-ironicclient
  • *
python-itsdangerous
  • *
python-openstacksdk
  • *
python-oslo-context
  • *
python-oslo-metrics
  • *
python-oslo-service
  • *
python-paste-deploy
  • *
python-platformdirs
  • *
python-pytest-xdist
  • *
python-smi-lextudio
  • *
python-webencodings
  • *
python-zope-testing
  • *
python3.12-dateutil
  • *
python-SecretStorage
  • *
python-async-timeout
  • *
python-debtcollector
  • *
python-dogpile-cache
  • *
python-keystoneauth1
  • *
python-oslo-rootwrap
  • *
python-pyproject-api
  • *
python-pytest-forked
  • *
python-pytest-runner
  • *
python-requests-mock
  • *
python-simplegeneric
  • *
python-testresources
  • *
python-testscenarios
  • *
container-tools:rhel8
  • *
python-beautifulsoup4
  • *
python-jaraco-classes
  • *
python-jaraco-context
  • *
python-keystoneclient
  • *
python-more-itertools
  • *
python-oslo-messaging
  • *
python-pytest-asyncio
  • *
python-pytest-timeout
  • *
python-setuptools_scm
  • *
python-singledispatch
  • *
python-testrepository
  • *
python-typing-inspect
  • *
python-wsgi_intercept
  • *
python-zope-interface
  • *
ephemeral-port-reserve
  • *
python-jsonpath-rw-ext
  • *
python-mypy_extensions
  • *
python-oslo-middleware
  • *
python-pyproject-hooks
  • *
python-pytest-xprocess
  • *
python-snowballstemmer
  • *
python-tox-current-env
  • *
python-binary-memcached
  • *
python-jaraco-functools
  • *
python-jaraco-packaging
  • *
python-os-client-config
  • *
python-os-service-types
  • *
python-oslo-concurrency
  • *
python-service-identity
  • *
python-sortedcontainers
  • *
python-sphinx_rtd_theme
  • *
devspaces/udi-base-rhel9
  • *
python-oslo-upgradecheck
  • *
python-prometheus_client
  • *
python-railroad-diagrams
  • *
python-requests-kerberos
  • *
python-requests-toolbelt
  • *
python-trove-classifiers
  • *
python-typing-extensions
  • *
python-keystonemiddleware
  • *
python-microversion-parse
  • *
python-openstackdocstheme
  • *
python-oslo-serialization
  • *
python-requestsexceptions
  • *
python-pytest-lazy-fixture
  • *
python-requests-unixsocket
  • *
python-pytest-rerunfailures
  • *
python-sphinxcontrib-jquery
  • *
python-sphinxcontrib-jsmath
  • *
python-sphinxcontrib-qthelp
  • *
container-tools:rhel8/podman
python-oslo-versionedobjects
  • *
python-sphinxcontrib-devhelp
  • *
python-sphinx-theme-alabaster
  • *
python-sphinxcontrib-htmlhelp
  • *
python-hatch-fancy-pypi-readme
  • *
python-sphinxcontrib-applehelp
  • *
python-sphinxcontrib-httpdomain
  • *
python-ironic-prometheus-exporter
  • *
python-sphinxcontrib-serializinghtml
  • *
ose-aws-ecr-image-credential-provider
  • *
ose-gcp-gcr-image-credential-provider
  • *
ose-azure-acr-image-credential-provider
  • *

Matching in nixpkgs

pkgs.podman

Program for managing pods, containers and container images

Package maintainers

Permalink CVE-2025-6032
8.3 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 9 months, 2 weeks ago
Podman: podman missing tls verification

A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.

References

Affected products

rhcos
  • *
podman
  • *
  • <5.5.2
container-tools:rhel8
  • *
container-tools:rhel8/podman

Matching in nixpkgs

pkgs.podman

Program for managing pods, containers and container images

pkgs.podman-compose

Implementation of docker-compose with podman backend

Package maintainers

Permalink CVE-2024-9676
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 1 year, 4 months ago
Podman: buildah: cri-o: symlink traversal vulnerability in the containers/storage library can cause denial of service (dos)

A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). The containers/storage library will read /etc/passwd inside the container, but does not properly validate if that file is a symlink, which can be used to cause the library to read an arbitrary file on the host.

References

Affected products

cri-o
  • *
conmon
podman
  • *
skopeo
buildah
  • *
containers/storage
  • <1.55.1
container-tools:rhel8
  • *
quay/quay-builder-rhel8
ocp-tools-4/jenkins-rhel8
container-tools:rhel8/conmon
container-tools:rhel8/podman
container-tools:rhel8/skopeo
container-tools:rhel8/buildah
openshift4/ose-docker-builder
  • *
jenkins-agent-base-rhel9-container
openshift4/ose-docker-builder-rhel9
  • *
ocp-tools-4/jenkins-agent-base-rhel8

Matching in nixpkgs

pkgs.cri-o

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

pkgs.podman

Program for managing pods, containers and container images

pkgs.skopeo

Command line utility for various operations on container images and image repositories

pkgs.buildah

Tool which facilitates building OCI images

pkgs.conmon-rs

OCI container runtime monitor written in Rust

pkgs.podman-compose

Implementation of docker-compose with podman backend

pkgs.cri-o-unwrapped

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

Package maintainers

Permalink CVE-2024-9675
4.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 year, 4 months ago
Buildah: buildah allows arbitrary directory mount

A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.

References

Affected products

cri-o
conmon
podman
  • *
skopeo
buildah
  • *
  • <1.38.0
buildah-container
container-tools:rhel8
  • *
quay/quay-builder-rhel8
ocp-tools-4/jenkins-rhel8
container-tools:rhel8/conmon
container-tools:rhel8/podman
container-tools:rhel8/skopeo
container-tools:rhel8/buildah
openshift4/ose-docker-builder
  • *
openshift4/ose-docker-builder-rhel9
  • *
ocp-tools-4/jenkins-agent-base-rhel8
openshift-enterprise-builder-container
  • *

Matching in nixpkgs

pkgs.cri-o

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

pkgs.podman

Program for managing pods, containers and container images

pkgs.skopeo

Command line utility for various operations on container images and image repositories

pkgs.buildah

Tool which facilitates building OCI images

pkgs.conmon-rs

OCI container runtime monitor written in Rust

pkgs.podman-compose

Implementation of docker-compose with podman backend

pkgs.cri-o-unwrapped

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

Package maintainers

Permalink CVE-2024-9407
4.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 year, 4 months ago
Buildah: podman: improper input validation in bind-propagation option of dockerfile run --mount instruction

A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.

References

Affected products

rhcos
  • *
podman
  • *
  • <1.5.0
  • <5.2.4
buildah
  • *
  • <1.37.4
  • <1.9.1
container-tools:rhel8
  • *
container-tools:rhel8/podman
container-tools:rhel8/buildah
openshift4/ose-docker-builder
openshift4/ose-docker-builder-rhel9

Matching in nixpkgs

pkgs.podman

Program for managing pods, containers and container images

pkgs.buildah

Tool which facilitates building OCI images

pkgs.podman-compose

Implementation of docker-compose with podman backend

Package maintainers