CVE-2024-5154

Summary

A flaw was found in cri-o. A malicious container can create a symbolic link to arbitrary files on the host via directory traversal (“../“). This flaw allows the container to read and write to arbitrary files on the host system.

Affected Software

VendorProductVersion RangeStatus
1.30.0 < 1.30.1affected
1.29.4 < 1.29.5affected
1.28.6 < 1.28.7affected
Red HatRed Hat OpenShift Container Platform 4.120:1.25.5-21.2.rhaos4.12.gita3eb75f.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.130:1.26.5-18.2.rhaos4.13.git2e90133.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.140:1.27.7-3.rhaos4.14.git674563e.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.150:1.28.7-2.rhaos4.15.git111aec5.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.160:1.29.5-7.rhaos4.16.git7db4ada.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.160:5.14.0-427.24.1.el9_4 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.160:4.16.0-202406191607.p0.g58452d8.assembly.stream.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.17417.94.202412040832-0 < *unaffected

Weaknesses

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Workarounds

There is no mitigation available for this vulnerability, a package update is required.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References