CVE-2024-9675
📋 TL;DR
This vulnerability in Buildah allows attackers to bypass path validation in cache mounts, enabling arbitrary host directory access during container builds. Users running Buildah with untrusted Containerfiles are affected, particularly in CI/CD pipelines or shared build environments.
💻 Affected Systems
- Buildah
📦 What is this software?
Buildah by Buildah Project
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Update Services For Sap Solutions →
Enterprise Linux Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Update Services For Sap Solutions →
Enterprise Linux Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Update Services For Sap Solutions →
Enterprise Linux Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Update Services For Sap Solutions →
⚠️ Risk & Real-World Impact
Worst Case
Full host filesystem compromise allowing data theft, privilege escalation, or persistent backdoor installation through malicious container builds.
Likely Case
Unauthorized access to sensitive host files (configs, secrets, credentials) during container build processes, potentially leading to data exfiltration.
If Mitigated
Limited impact with proper user isolation, trusted Containerfile sources, and restricted build permissions.
🎯 Exploit Status
Exploitation requires the ability to execute Buildah commands, typically through build system access or CI/CD pipeline control.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Buildah 1.35.4 and later
Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:8563
Restart Required: No
Instructions:
1. Update Buildah: 'sudo dnf update buildah' (RHEL/Fedora) or 'sudo apt-get update && sudo apt-get install buildah' (Debian/Ubuntu). 2. Verify version: 'buildah --version' should show 1.35.4 or higher.
🔧 Temporary Workarounds
Restrict Buildah Usage
linuxLimit Buildah execution to trusted users and environments only.
sudo chmod 750 /usr/bin/buildah
sudo setfacl -m u:trusteduser:rx /usr/bin/buildah
Use Containerfile Validation
allImplement pre-build scanning of Containerfiles for suspicious cache mount paths.
grep -r '--mount=type=cache' Containerfile | grep -v '^#'
🧯 If You Can't Patch
- Run Buildah in isolated environments (VMs, sandboxes) with minimal host access.
- Implement strict user/group permissions and audit all Containerfile sources before building.
🔍 How to Verify
Check if Vulnerable:
Run 'buildah --version' and check if version is below 1.35.4.Check Version:
buildah --versionVerify Fix Applied:
Confirm 'buildah --version' returns 1.35.4 or higher and test cache mount functionality with safe paths.📡 Detection & Monitoring
Log Indicators:
- Unusual cache mount paths in Buildah logs
- Multiple failed path validation attempts
Network Indicators:
- Unexpected outbound connections during container builds
SIEM Query:
source="buildah" AND ("cache" AND "mount" AND NOT "valid")🔗 References
- https://access.redhat.com/errata/RHSA-2024:8563
- https://access.redhat.com/errata/RHSA-2024:8675
- https://access.redhat.com/errata/RHSA-2024:8679
- https://access.redhat.com/errata/RHSA-2024:8686
- https://access.redhat.com/errata/RHSA-2024:8690
- https://access.redhat.com/errata/RHSA-2024:8700
- https://access.redhat.com/errata/RHSA-2024:8703
- https://access.redhat.com/errata/RHSA-2024:8707
- https://access.redhat.com/errata/RHSA-2024:8708
- https://access.redhat.com/errata/RHSA-2024:8709
- https://access.redhat.com/errata/RHSA-2024:8846
- https://access.redhat.com/errata/RHSA-2024:8984
- https://access.redhat.com/errata/RHSA-2024:8994
- https://access.redhat.com/errata/RHSA-2024:9051
- https://access.redhat.com/errata/RHSA-2024:9454
- https://access.redhat.com/errata/RHSA-2024:9459
- https://access.redhat.com/errata/RHSA-2025:2445
- https://access.redhat.com/errata/RHSA-2025:2449
- https://access.redhat.com/errata/RHSA-2025:2454
- https://access.redhat.com/errata/RHSA-2025:2701
- https://access.redhat.com/errata/RHSA-2025:2710
- https://access.redhat.com/errata/RHSA-2025:3301
- https://access.redhat.com/errata/RHSA-2025:3573
- https://access.redhat.com/security/cve/CVE-2024-9675
- https://bugzilla.redhat.com/show_bug.cgi?id=2317458
