CVE-2024-9675 Overview
A path traversal vulnerability was discovered in Buildah, a tool for building OCI-compatible container images. The flaw exists in how Buildah handles cache mounts during container image builds. Cache mounts do not properly validate that user-specified paths are within the designated cache directory, allowing a RUN instruction in a Containerfile to mount an arbitrary directory from the host system (with read/write access) into the container, provided those files are accessible by the user running Buildah.
Critical Impact
Local attackers can leverage malicious Containerfiles to escape the intended cache directory boundaries and access or modify arbitrary host filesystem locations accessible to the Buildah process user, potentially leading to information disclosure or unauthorized file modifications.
Affected Products
- Buildah Project Buildah
- Red Hat OpenShift Container Platform (versions 4.13-4.17)
- Red Hat Enterprise Linux 8.0 and 9.0 (including EUS, ARM64, IBM Z Systems, and Power variants)
Discovery Timeline
- October 9, 2024 - CVE-2024-9675 published to NVD
- August 25, 2025 - Last updated in NVD database
Technical Details for CVE-2024-9675
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. The core issue lies in Buildah's cache mount handling logic, which fails to properly sanitize and validate user-supplied path arguments. When a user specifies a cache mount path in a Containerfile's RUN instruction, Buildah does not adequately verify that the resolved path remains within the expected cache directory boundaries.
The vulnerability requires local access and low privileges to exploit. An attacker must be able to execute buildah build commands with a malicious Containerfile. The impact is limited to confidentiality and integrity without availability impact, as the attacker can read from and write to arbitrary host directories that the Buildah process has permission to access.
Root Cause
The root cause is insufficient input validation in Buildah's cache mount implementation. When processing --mount=type=cache directives in RUN instructions, the code does not properly canonicalize paths or check for directory traversal sequences (such as ../) that could escape the intended cache directory. This allows an attacker to craft a Containerfile that references paths outside the designated cache storage location.
Attack Vector
The attack requires local access to a system running Buildah. An attacker crafts a malicious Containerfile containing a RUN instruction with a cache mount that specifies a path traversal sequence pointing to a sensitive host directory. When an unsuspecting user or automated CI/CD pipeline executes buildah build on this Containerfile, the malicious cache mount directive causes an arbitrary host directory to be mounted into the build container with read/write permissions.
The attacker can then access sensitive configuration files, credentials, or other data accessible to the user running Buildah. Additionally, they could modify files on the host system, potentially achieving persistence or escalating the attack.
Detection Methods for CVE-2024-9675
Indicators of Compromise
- Containerfiles containing --mount=type=cache directives with path traversal sequences such as ../ in the target or source paths
- Buildah processes accessing files or directories outside of expected cache locations (typically under /var/tmp/ or user-specified cache directories)
- Unexpected file access patterns during container build operations
Detection Strategies
- Audit Containerfiles for suspicious cache mount configurations before executing builds, particularly looking for relative path components
- Monitor file system access by Buildah processes using tools like auditd or eBPF-based monitoring to detect access to sensitive directories
- Implement static analysis scanning in CI/CD pipelines to flag potentially malicious Containerfile instructions
Monitoring Recommendations
- Enable audit logging for Buildah operations and review logs for unusual cache mount paths
- Monitor for unexpected modifications to files outside of container build directories
- Track Buildah version usage across your environment to ensure patched versions are deployed
How to Mitigate CVE-2024-9675
Immediate Actions Required
- Update Buildah to the latest patched version available for your distribution
- Review and audit existing Containerfiles for suspicious cache mount configurations
- Restrict which users can execute Buildah builds on production systems
- Consider running Buildah in rootless mode to limit potential impact of exploitation
Patch Information
Red Hat has released multiple security advisories addressing this vulnerability across their product portfolio. Organizations should apply the appropriate patches based on their specific Red Hat Enterprise Linux or OpenShift Container Platform version:
- RHSA-2024:8563 and subsequent advisories for RHEL 8.x and 9.x
- RHSA-2024:9454 and RHSA-2024:9459 for RHEL 9
- Additional advisories through 2025 including RHSA-2025:2445, RHSA-2025:2449, and RHSA-2025:3573
Refer to the Red Hat CVE page for CVE-2024-9675 for the complete list of available patches and affected versions.
Workarounds
- Implement strict Containerfile review policies before allowing builds, rejecting any files with suspicious mount configurations
- Use container image scanning tools to validate Containerfiles in automated pipelines before execution
- Run Buildah with minimal filesystem permissions and in isolated environments where possible
- Consider using SELinux or AppArmor policies to restrict Buildah's filesystem access patterns
# Example: Check for suspicious cache mounts in Containerfiles
grep -rn "mount=type=cache" /path/to/containerfiles/ | grep -E "\.\.\/"
# Run buildah in rootless mode to limit impact
buildah unshare buildah build -t myimage .
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
