cbcvebase.
CVE-2024-8676
published 2024-11-26

CVE-2024-8676: A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that…

PriorityP348high7.4CVSS 3.1
AVNACHPRNUINSUCHIHAN
EPSS
0.77%
51.1th percentile
A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.

Affected

3 ranges
VendorProductVersion rangeFixed in
github.comcri-o_cri-o>= 0 < 1.29.111.29.11
github.comcri-o_cri-o>= 1.30.0 < 1.30.81.30.8
github.comcri-o_cri-o>= 1.31.0 < 1.31.31.31.3

CVSS provenance

nvdv3.17.4HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_redhat7.4HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.