CVE-2024-9341

Summary

A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.

Affected Software

VendorProductVersion RangeStatus
0 < 0.60.4affected
Red HatRed Hat Enterprise Linux 88100020241023085649.afee755d < *unaffected
Red HatRed Hat Enterprise Linux 94:4.9.4-13.el9_4 < *unaffected
Red HatRed Hat Enterprise Linux 92:1.33.9-1.el9_4 < *unaffected
Red HatRed Hat Enterprise Linux 94:5.2.2-9.el9_5 < *unaffected
Red HatRed Hat Enterprise Linux 92:1.37.5-1.el9_5 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.120:1.25.5-5.rhaos4.12.git53dc492.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.130:1.26.5-26.rhaos4.13.giteb3d487.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.140:1.27.8-10.rhaos4.14.git807f92c.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.150:1.28.11-5.rhaos4.15.git35a2431.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.160:1.29.9-5.rhaos4.16.git34690b9.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.16416.94.202411201433-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.170:1.30.6-3.rhaos4.17.git49b5172.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.17417.94.202412040832-0 < *unaffected

Weaknesses

  • CWE-59: Improper Link Resolution Before File Access ('Link Following')

Workarounds

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References