CVE-2024-11218: 
Podman vulnerability analysis and mitigation

A vulnerability was discovered in podman build and buildah tools, identified as CVE-2024-11218. The vulnerability was disclosed on January 22, 2025, affecting container build operations. The issue allows for a container breakout by exploiting a race condition when building a malicious Containerfile using the --jobs=2 flag (NVD, Security Online).

The vulnerability stems from a race condition that occurs during container build processes when using the --mount flag in RUN instructions combined with either multi-stage builds using concurrent execution stages (via --jobs CLI flag) or multiple separate but concurrent builds. The vulnerability has been assigned a CVSS v3.1 base score of 8.6 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (Security Online).

The vulnerability enables attackers to break out of containers and access sensitive information on the host system. While SELinux might provide some mitigation, even with SELinux enabled, the vulnerability still allows for enumeration of files and directories on the host. This is particularly concerning when the build process runs as a root-owned podman system service (Security Online).

Patches have been released to address this vulnerability across multiple versions of affected products. Red Hat has issued several security advisories (RHSA) with fixes for various product versions. Users are strongly encouraged to update their installations to the latest patched versions. Additionally, enabling mandatory access controls can help limit the impact of this vulnerability (Security Online).