Container Orchestration Flaw Allows Arbitrary File Access
CVE-2024-5154

8.1HIGH

Key Information:

Vendor

Kubernetes
Status
Red Hat Openshift Container Platform 4.12
Red Hat Openshift Container Platform 4.13
Red Hat Openshift Container Platform 4.14
Vendor
CVE Published:
12 June 2024

What is CVE-2024-5154?

A directory traversal vulnerability exists in CRI-O that can be exploited by a malicious container. This vulnerability allows an attacker to create symbolic links to arbitrary files on the host system using path traversal techniques such as "../". As a result, sensitive files may be accessed or modified, potentially compromising the security of the host environment. This flaw highlights the importance of secure container management practices and timely updates to mitigate risks associated with such vulnerabilities.

References

https://access.redhat.com/errata/RHSA-2024:10818
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:3676
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:3700
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Erik Sjölund ([email protected]) for reporting this issue.
.