CVE-2024-3154Command Injection in Cri-o Cri-o

CWE-77Command Injection7 documents6 sources
Severity
7.2HIGHNVD
EPSS
0.3%
top 49.32%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Github.com Cri-o Cri-o
Timeline
PublishedApr 26
Latest updateJun 4

Description

A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages1 packages

Gogithub.com/cri-o_cri-o1.29.01.29.4+2

🔴Vulnerability Details

4
OSV
CRI-O vulnerable to an arbitrary systemd property injection in github.com/cri-o/cri-o2024-06-04
OSV
CRI-O vulnerable to an arbitrary systemd property injection2024-04-30
GHSA
CRI-O vulnerable to an arbitrary systemd property injection2024-04-30
CVEList
Cri-o: arbitrary command injection via pod annotation2024-04-26

📋Vendor Advisories

2
Red Hat
cri-o: Arbitrary command injection via pod annotation2024-04-22
Microsoft
Cri-o: arbitrary command injection via pod annotation2024-04-09
CVE-2024-3154 — Command Injection in Cri-o Cri-o | cvebase