CVE-2019-18466

{"id": "CVE-2019-18466", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2019-10-28T13:15:11.430", "references": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00040.html", "source": "cve@mitre.org"}, {"url": "https://access.redhat.com/errata/RHSA-2019:4269", "source": "cve@mitre.org"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1744588", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/containers/libpod/commit/5c09c4d2947a759724f9d5aef6bac04317e03f7e", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "https://github.com/containers/libpod/compare/v1.5.1...v1.6.0", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "https://github.com/containers/libpod/issues/3829", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-59"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Podman in libpod before 1.6.0. It resolves a symlink in the host context during a copy operation from the container to the host, because an undesired glob operation occurs. An attacker could create a container image containing particular symlinks that, when copied by a victim user to the host filesystem, may overwrite existing files with others from the host."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Podman en libpod versiones anteriores a la versi\u00f3n 1.6.0. Resuelve un enlace simb\u00f3lico (symlink) en el contexto del host durante una operaci\u00f3n de copia desde el contenedor hacia el host, porque se produce una operaci\u00f3n glob no deseada. Un atacante podr\u00eda crear una imagen de contenedor que contenga enlaces simb\u00f3licos particulares que, cuando sean copiados por parte de un usuario v\u00edctima hacia el sistema de archivos del host, pueden sobrescribir los archivos existentes con otros del host."}], "lastModified": "2020-01-15T14:15:11.857", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:libpod_project:libpod:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "49E75E62-0DB3-4D8F-A9E9-18450BE6723E", "versionEndExcluding": "1.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}