CVE-2024-5154

Опубликовано: 27 мая 2024

Источник: redhat

CVSS3: 8.1

Описание

A flaw was found in cri-o. A malicious container can create a symbolic link to arbitrary files on the host via directory traversal (“../“). This flaw allows the container to read and write to arbitrary files on the host system.

Отчет

Red Hat OpenShift Container Platform (OCP) includes the vulnerable cri-o library, however it does not load untrusted container, therefore impact is reduced to Important.

Меры по смягчению последствий

There is no mitigation available for this vulnerability, a package update is required.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 8	container-tools:rhel8/podman	Not affected
Red Hat Enterprise Linux 9	conmon	Not affected
Red Hat OpenShift Container Platform 3.11	cri-o	Out of support scope
Red Hat OpenShift Container Platform 4	rhcos	Affected
Red Hat OpenShift Container Platform 4.12	cri-o	Fixed	RHSA-2024:4008	27.06.2024
Red Hat OpenShift Container Platform 4.13	cri-o	Fixed	RHSA-2024:4486	17.07.2024
Red Hat OpenShift Container Platform 4.14	cri-o	Fixed	RHSA-2024:3700	13.06.2024
Red Hat OpenShift Container Platform 4.15	cri-o	Fixed	RHSA-2024:3676	11.06.2024
Red Hat OpenShift Container Platform 4.16	cri-o	Fixed	RHSA-2024:4159	03.07.2024
Red Hat OpenShift Container Platform 4.16	kernel	Fixed	RHSA-2024:4159	03.07.2024

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-22

https://bugzilla.redhat.com/show_bug.cgi?id=2280190cri-o: malicious container can create symlink on host

8.1 High

CVSS3

Связанные уязвимости

CVE-2024-5154

CVSS3: 8.1

ubuntu

около 1 года назад

A flaw was found in cri-o. A malicious container can create a symbolic link pointing to an arbitrary directory or file on the host via directory traversal (“../“). This flaw allows the container to read and write to arbitrary files on the host system.