CVE-2024-8676
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
0 < 1.29.11 | affected | ||
1.30.0 < 1.30.8 | affected | ||
1.31.0 < 1.31.3 | affected | ||
| Red Hat | Red Hat OpenShift Container Platform 4.15 | 0:1.28.11-7.rhaos4.15.gitc4c0556.el8 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.16 | 0:1.29.11-3.rhaos4.16.git16d9bd6.el8 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.16 | 416.94.202506251808-0 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.17 | 417.94.202503241418-0 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.18 | 0:1.31.5-5.rhaos4.18.git6dfa0a6.el8 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.18 | 418.94.202504231329-0 < * | unaffected |
Weaknesses
- CWE-285: Improper Authorization
Workarounds
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://access.redhat.com/errata/RHBA-2024:10826
- https://access.redhat.com/errata/RHSA-2025:0648
- https://access.redhat.com/errata/RHSA-2025:1908
- https://access.redhat.com/errata/RHSA-2025:3297
- https://access.redhat.com/errata/RHSA-2025:4211
- https://access.redhat.com/errata/RHSA-2025:9765
- https://access.redhat.com/security/cve/CVE-2024-8676
- https://bugzilla.redhat.com/show_bug.cgi?id=2313842
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.