CVE-2018-10856: Podman Elevated Container Privileges
8.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.36952%
CWE
Published
5/13/2022
Updated
9/16/2024
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/containers/podman | go | < 0.6.1 | 0.6.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The GitHub patch shows critical modifications to the setupCapabilities
function in pkg/spec/spec.go
. The commit message explicitly states the need to 'clear all caps except the bounding set' when --user is specified, and the diff demonstrates the addition of logic to reset capabilities for non-root users. The CWE-732 (Incorrect Permission Assignment) directly maps to this capability retention issue. The added test case in run_test.go
verifies capability dropping for non-root users, confirming this was the vulnerable code path.