Alpine: multiple buildah packages: security update to 1.35.4-r0

high Tenable Cloud Security Plugin ID 426283

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary
locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image
with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the
host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write
access to the host filesystem, allowing for full container escape at build time. (CVE-2024-1753)

- A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger
unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local
path traversal, and other attacks. (CVE-2024-3727)

- The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid
JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any
value, or when the UnmarshalOptions.DiscardUnknown option is set. (CVE-2024-24786)

- Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of
standards. An attacker could send a JWE containing compressed data that used large amounts of memory and
CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed
data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been
patched in versions 4.0.1, 3.0.3 and 2.6.3. (CVE-2024-28180)

See Also

https://security.alpinelinux.org/vuln/CVE-2024-1753

https://security.alpinelinux.org/vuln/CVE-2024-24786

https://security.alpinelinux.org/vuln/CVE-2024-28180

https://security.alpinelinux.org/vuln/CVE-2024-3727

Plugin Details

Severity: High

ID: 426283

Version: Revision 1.4

Type: Local

Published: 5/16/2025

Updated: 5/18/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.48

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-3727

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.5

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2024-1753

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 8.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2024-24786

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 3/5/2024

Reference Information

CVE: CVE-2024-1753, CVE-2024-24786, CVE-2024-28180, CVE-2024-3727