Cclerget

**Name of the Vulnerable Software and Affected Versions** CRI-O Container Engine versions prior to the fixed version **Description** A flaw was found in CRI-O, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system. This can be achieved by adding annotations such as `org.systemd.property.SuccessAction` to a Pod, allowing for the execution of arbitrary commands on the host system. **Recommendations** For CRI-O Container Engine versions prior to the fixed version, consider implementing an external mutating webhook to disallow annotations with the prefix "org.systemd.property." to prevent exploitation. Unfortunately, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apptainer versions 1.2.0-rc.2 through 1.2.0 **Description** Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges. The attack surface is rather limited for users, but an attacker could possibly craft a starter config to delete any directory on the host filesystems. **Recommendations** For Apptainer versions 1.2.0-rc.2, upgrade to Apptainer 1.2.1 to resolve the issue. There is no known workaround outside of upgrading to Apptainer 1.2.1.