Container Orchestration Flaw Allows Arbitrary File Access

CVE-2024-5154

8.1HIGH

Key Information

Vendor: Red Hat
Status: Red Hat Openshift Container Platform 4.12; Red Hat Openshift Container Platform 4.13; Red Hat Openshift Container Platform 4.14; Red Hat Openshift Container Platform 4.15
Vendor: CVE Published:; 12 June 2024

Summary

A flaw was found in cri-o. A malicious container can create a symbolic link to arbitrary files on the host via directory traversal (“../“). This flaw allows the container to read and write to arbitrary files on the host system.

Affected Version(s)

Red Hat OpenShift Container Platform 4.12 <= 0:1.25.5-21.2.rhaos4.12.gita3eb75f.el8

Red Hat OpenShift Container Platform 4.13 <= 0:1.26.5-18.2.rhaos4.13.git2e90133.el8

Red Hat OpenShift Container Platform 4.14 <= 0:1.27.7-3.rhaos4.14.git674563e.el9

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Risk change from: null to: 8.1 - (HIGH)
Jun 18, 2024
Vulnerability published.
Jun 12, 2024
Vulnerability Reserved.
May 20, 2024
Reported to Red Hat.
May 10, 2024

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Erik Sjölund ([email protected]) for reporting this issue.