A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.

Affected Packages

Go github.com/containers/common

Affected versions: 0 (fixed in 0.60.4)

Related CVEs

CVE-2024-9341

Key Information

GHSA ID

GHSA-mc76-5925-c5p6

Published

October 1, 2024 9:31 PM

Last Modified

December 11, 2024 6:30 AM

CVSS Score

5.0 /10

Primary Ecosystem

Primary Package

github.com/containers/common

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.