Vulnerability Details CVE-2024-5154
A flaw was found in cri-o. A malicious container can create a symbolic link to arbitrary files on the host via directory traversal (“../“). This flaw allows the container to read and write to arbitrary files on the host system.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 31.4%
CVSS Severity
CVSS v3 Score 8.1
References
- https://access.redhat.com/errata/RHSA-2024:10818
- https://access.redhat.com/errata/RHSA-2024:3676
- https://access.redhat.com/errata/RHSA-2024:3700
- https://access.redhat.com/errata/RHSA-2024:4008
- https://access.redhat.com/errata/RHSA-2024:4486
- https://access.redhat.com/security/cve/CVE-2024-5154
- https://bugzilla.redhat.com/show_bug.cgi?id=2280190
- https://github.com/cri-o/cri-o/security/advisories/GHSA-j9hf-98c3-wrm8
- https://access.redhat.com/errata/RHSA-2024:3676
- https://access.redhat.com/errata/RHSA-2024:3700
- https://access.redhat.com/errata/RHSA-2024:4008
- https://access.redhat.com/errata/RHSA-2024:4486
- https://access.redhat.com/security/cve/CVE-2024-5154
- https://bugzilla.redhat.com/show_bug.cgi?id=2280190
- https://github.com/cri-o/cri-o/security/advisories/GHSA-j9hf-98c3-wrm8
Products affected by CVE-2024-5154
-
cpe:2.3:a:kubernetes:cri-o:1.28.6
-
cpe:2.3:a:kubernetes:cri-o:1.29.4
-
cpe:2.3:a:kubernetes:cri-o:1.30.0
-
cpe:2.3:a:redhat:openshift_container_platform:3.11
-
cpe:2.3:a:redhat:openshift_container_platform:4.0
-
cpe:2.3:a:redhat:openshift_container_platform:4.12
-
cpe:2.3:a:redhat:openshift_container_platform:4.13
-
cpe:2.3:a:redhat:openshift_container_platform:4.14
-
cpe:2.3:a:redhat:openshift_container_platform:4.15
-
cpe:2.3:o:redhat:enterprise_linux:8.0
-
cpe:2.3:o:redhat:enterprise_linux:9.0