CVE-2024-3154

CVSS v2.0

8.3

High

Vector

AV:N/AC:L/Au:M/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions CRI-O Container Engine versions prior to the fixed version

Description A flaw was found in CRI-O, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system. This can be achieved by adding annotations such as org.systemd.property.SuccessAction to a Pod, allowing for the execution of arbitrary commands on the host system.

Recommendations For CRI-O Container Engine versions prior to the fixed version, consider implementing an external mutating webhook to disallow annotations with the prefix "org.systemd.property." to prevent exploitation. Unfortunately, there is no information about a newer version that contains a fix for this vulnerability.

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

ALT-PU-2024-8461

ALT-PU-2024-8463

ALT-PU-2024-8542

ALT-PU-2024-8544

ALT-PU-2024-8807

ALT-PU-2024-8809

AZL-42307

BDU:2024-04112

CVE-2024-3154

GHSA-2CGQ-H8XW-2V5J

GHSA-C5PJ-MQFH-RVC3

GO-2024-2791

OESA-2024-1671

OESA-2024-1675

OESA-2024-1688

OPENSUSE-SU-2024:14334-1

RHSA-2024:2669

RHSA-2024:2672

RHSA-2024:2784

RHSA-2024:3496

Affected Products

Alt Linux

Cri-O Container Engine

Red Os

CVE-2024-3154

Weakness Enumeration

Related Identifiers

Affected Products

References · 34