We have identified a symlink race condition vulnerability in Alibaba Group’s rich container runtime Pouch, which has been assigned a CVE number: CVE-2024-41228, and is classified as a high-risk vulnerability (CVSS score 7.6).

A vulnerability in Pouch’s cp function allows attackers to escalate privileges and overwrite files. Pouch, an Alibaba container, was found to have a race condition issue in its cp command, similar to a known Docker vulnerability. Despite Docker fixing this in their latest version, Pouch’s vendored package version still contained the flaw. The issue was responsibly disclosed to Pouch and CNVD, leading to a fix and CVE-2024-41228 and CNVD-2023-71698 IDs being assigned.

Check NVD’s security Advisory for more details.