Flaw in Go Container Runtimes Allows Attackers to Bypass Isolation

CVE-2024-9341

5.4MEDIUM

Key Information

Vendor: Red Hat
Status: Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9; Red Hat Openshift Container Platform 4.12; Red Hat Openshift Container Platform 4.13
Vendor: CVE Published:; 1 October 2024

Summary

A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.

Affected Version(s)

Red Hat Enterprise Linux 8 <= 8100020241023085649.afee755d

Red Hat Enterprise Linux 9 <= 4:4.9.4-13.el9_4

Red Hat Enterprise Linux 9 <= 2:1.33.9-1.el9_4

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Risk change from: null to: 5.4 - (MEDIUM)
Oct 1, 2024
Vulnerability published.
Oct 1, 2024
Vulnerability Reserved.
Sep 30, 2024
Reported to Red Hat.
Sep 30, 2024

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Paul Holzinger for reporting this issue.