CVE-2024-5154

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-5154
A flaw was found in cri-o. A malicious container can create a symbolic link to arbitrary files on the host via directory traversal (“../“). This flaw allows the container to read and write to arbitrary files on the host system.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://access.redhat.com/errata/RHSA-2024:10818
https://access.redhat.com/errata/RHSA-2024:3676 Vendor Advisory
https://access.redhat.com/errata/RHSA-2024:3700 Vendor Advisory
https://access.redhat.com/errata/RHSA-2024:4008 Vendor Advisory
https://access.redhat.com/errata/RHSA-2024:4159
https://access.redhat.com/errata/RHSA-2024:4486 Vendor Advisory
https://access.redhat.com/security/cve/CVE-2024-5154 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2280190 Issue Tracking
https://github.com/cri-o/cri-o/security/advisories/GHSA-j9hf-98c3-wrm8 Vendor Advisory
https://access.redhat.com/errata/RHSA-2024:3676 Vendor Advisory
https://access.redhat.com/errata/RHSA-2024:3700 Vendor Advisory
https://access.redhat.com/errata/RHSA-2024:4008 Vendor Advisory
https://access.redhat.com/errata/RHSA-2024:4486 Vendor Advisory
https://access.redhat.com/security/cve/CVE-2024-5154 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2280190 Issue Tracking
https://github.com/cri-o/cri-o/security/advisories/GHSA-j9hf-98c3-wrm8 Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:kubernetes:cri-o:1.28.6:*:*:*:*:*:*:*
cpe:2.3:a:kubernetes:cri-o:1.29.4:*:*:*:*:*:*:*
cpe:2.3:a:kubernetes:cri-o:1.30.0:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
OR cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.13:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.14:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.15:*:*:*:*:*:*:*
OR cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
History

No history.

Information

Published : 2024-06-12 09:15

Updated : 2025-06-23 14:15

NVD link : CVE-2024-5154

Mitre link : CVE-2024-5154

CVE.ORG link : CVE-2024-5154

JSON object : View

Products Affected

redhat

  • openshift_container_platform
  • enterprise_linux

kubernetes

  • cri-o
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')