CVE-2020-1726: 
Podman vulnerability analysis and mitigation

CVE-2020-1726 is a security vulnerability discovered in Podman where it incorrectly allows containers when created to overwrite existing files in volumes, even if they are mounted as read-only. This vulnerability was introduced in version 1.6.0 and affects systems using Podman for container management (NVD, Red Hat CVE).

The vulnerability exists in the mountNamedVolume() function, which is responsible for copying the content of the destination volume directory from the container to the volume. The copy operation occurs only during the first use when vol.state.NeedsCopyUp is True, after which the field is set to False. Unlike Docker, which checks if a volume is empty before copying data, Podman did not implement this verification, allowing malicious containers to overwrite existing volume data (Bugzilla). The vulnerability has a CVSS v3.1 Base Score of 5.9 (Medium) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD).

When a user runs a malicious container or a container based on a malicious image with an attached volume that is used for the first time, it is possible to trigger the flaw and overwrite files in the volume, even if the volume is mounted as read-only. This could lead to data corruption or manipulation of sensitive files (NVD).

As a temporary mitigation, if a volume needs to be attached as read-only to an untrusted container or container image, first attach it to a trusted container. Using the volume for the first time will prevent the attack for other containers that are going to use the volume. The issue has been fixed in subsequent releases through Red Hat's security updates RHSA-2020:0680 and RHSA-2020:1650 (Bugzilla).