CVE-2024-5154
8.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
Summary
A flaw was found in cri-o. A malicious container can create a symbolic link to arbitrary files on the host via directory traversal (“../“). This flaw allows the container to read and write to arbitrary files on the host system.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
1.30.0 < 1.30.1 | affected | ||
1.29.4 < 1.29.5 | affected | ||
1.28.6 < 1.28.7 | affected | ||
| Red Hat | Red Hat OpenShift Container Platform 4.12 | 0:1.25.5-21.2.rhaos4.12.gita3eb75f.el8 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.13 | 0:1.26.5-18.2.rhaos4.13.git2e90133.el8 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.14 | 0:1.27.7-3.rhaos4.14.git674563e.el8 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.15 | 0:1.28.7-2.rhaos4.15.git111aec5.el9 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.16 | 0:1.29.5-7.rhaos4.16.git7db4ada.el8 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.16 | 0:5.14.0-427.24.1.el9_4 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.16 | 0:4.16.0-202406191607.p0.g58452d8.assembly.stream.el8 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.17 | 417.94.202412040832-0 < * | unaffected |
Weaknesses
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Workarounds
There is no mitigation available for this vulnerability, a package update is required.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
CVE Program Container
Additional References
- https://access.redhat.com/errata/RHSA-2024:3676
- https://access.redhat.com/errata/RHSA-2024:3700
- https://access.redhat.com/errata/RHSA-2024:4008
- https://access.redhat.com/errata/RHSA-2024:4486
- https://access.redhat.com/security/cve/CVE-2024-5154
- https://bugzilla.redhat.com/show_bug.cgi?id=2280190
- https://github.com/cri-o/cri-o/security/advisories/GHSA-j9hf-98c3-wrm8
References
- https://access.redhat.com/errata/RHSA-2024:10818
- https://access.redhat.com/errata/RHSA-2024:3676
- https://access.redhat.com/errata/RHSA-2024:3700
- https://access.redhat.com/errata/RHSA-2024:4008
- https://access.redhat.com/errata/RHSA-2024:4159
- https://access.redhat.com/errata/RHSA-2024:4486
- https://access.redhat.com/security/cve/CVE-2024-5154
- https://bugzilla.redhat.com/show_bug.cgi?id=2280190
- https://github.com/cri-o/cri-o/security/advisories/GHSA-j9hf-98c3-wrm8
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.