Container Orchestration Flaw Allows Arbitrary File Access
CVE-2024-5154

8.1HIGH

Key Information:

Vendor: Red Hat
Status: Red Hat Openshift Container Platform 4.12; Red Hat Openshift Container Platform 4.13; Red Hat Openshift Container Platform 4.14; Red Hat Openshift Container Platform 4.15
Vendor: CVE Published:; 12 June 2024

Summary

A directory traversal vulnerability exists in CRI-O that can be exploited by a malicious container. This vulnerability allows an attacker to create symbolic links to arbitrary files on the host system using path traversal techniques such as "../". As a result, sensitive files may be accessed or modified, potentially compromising the security of the host environment. This flaw highlights the importance of secure container management practices and timely updates to mitigate risks associated with such vulnerabilities.

Affected Version(s)

Red Hat OpenShift Container Platform 4.12 0:1.25.5-21.2.rhaos4.12.gita3eb75f.el8

Red Hat OpenShift Container Platform 4.13 0:1.26.5-18.2.rhaos4.13.git2e90133.el8

Red Hat OpenShift Container Platform 4.14 0:1.27.7-3.rhaos4.14.git674563e.el9

References

https://access.redhat.com/errata/RHSA-2024:3676

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2024:3700

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2024:4008

vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jun 12, 2024
Vulnerability Reserved
May 20, 2024

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Erik Sjölund ([email protected]) for reporting this issue.