CVE-2024-3154

Summary

A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.

Affected Software

VendorProductVersion RangeStatus
1.27.5affected
1.27.6unaffected
1.28.5affected
1.28.6unaffected
1.29.3affected
1.29.4unaffected
1.30.0unaffected
Red HatRed Hat OpenShift Container Platform 4.120:1.25.5-16.2.rhaos4.12.gitcb09013.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.130:1.26.5-16.2.rhaos4.13.git67e2a9d.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.140:1.27.6-2.rhaos4.14.gitb3bd0bf.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.150:1.28.6-2.rhaos4.15.git77bbb1c.el8 < *unaffected

Weaknesses

  • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References