CVE-2024-5154 — Path Traversal in Redhat Openshift Container Platform

CWE-22 — Path Traversal CWE-668 — Resource Exposure6 documents5 sources

Severity

8.1HIGHNVD

EPSS

1.7%

top 17.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Cri-o Cri-o Kubernetes Cri-o Redhat Openshift Container Platform

Timeline

PublishedJun 12

Latest updateJun 14

Description

A flaw was found in cri-o. A malicious container can create a symbolic link to arbitrary files on the host via directory traversal (“../“). This flaw allows the container to read and write to arbitrary files on the host system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:NExploitability: 1.7 | Impact: 5.8

Affected Packages2 packages

▶Gogithub.com/cri-o_cri-o1.28.6 — 1.28.7+2

▶NVDkubernetes/cri-o1.28.6, 1.29.4, 1.30.0+2

Also affects: Openshift Container Platform 3.11, 4.0, 4.12, 4.13, 4.14, 4.15

🔴Vulnerability Details

OSV

malicious container creates symlink "mtab" on the host External in github.com/cri-o/cri-o↗2024-06-14

▶

CVEList

Cri-o: malicious container can create symlink on host↗2024-06-12

▶

GHSA

malicious container creates symlink "mtab" on the host External↗2024-06-04

▶

OSV

malicious container creates symlink "mtab" on the host External↗2024-06-04

▶

📋Vendor Advisories

Red Hat

cri-o: malicious container can create symlink on host↗2024-05-27

▶