PT-2024-4423 · Cri-O+2 · Cri-O+2

Eriksjolund

Published

2024-06-03

Updated

2025-06-23

CVE-2024-5154

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions cri-o versions prior to 1.30.1 cri-o versions prior to 1.29.5 cri-o versions prior to 1.28.7

Description A flaw was found in cri-o, allowing a malicious container to create a symbolic link to arbitrary files on the host via directory traversal (“../“). This flaw enables the container to read and write to arbitrary files on the host system. A malicious container can affect the host by taking advantage of code cri-o added to show the container mounts on the host.

Recommendations For cri-o versions prior to 1.30.1, update to version 1.30.1 or later. For cri-o versions prior to 1.29.5, update to version 1.29.5 or later. For cri-o versions prior to 1.28.7, update to version 1.28.7 or later. As a temporary workaround, consider restricting the use of the vulnerable container functionality until a patch is available.

Fix

Path traversal

Exposure of Resource to Wrong Sphere

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-668

Related Identifiers

ALT-PU-2024-10202

ALT-PU-2024-10370

ALT-PU-2024-9808

ALT-PU-2024-9810

BDU:2024-04923

CVE-2024-5154

GHSA-J9HF-98C3-WRM8

GO-2024-2919

RHSA-2024:3676

RHSA-2024:3700

RHSA-2024:4008

RHSA-2024:4159

RHSA-2024:4486

Affected Products

Alt Linux

Red Os

Cri-O

PT-2024-4423 · Cri-O+2 · Cri-O+2

CVE-2024-5154

Weakness Enumeration

Related Identifiers

Affected Products

References · 28