CVE-2024-5154

moderate-risk

Published 2024-06-12

A flaw was found in cri-o. A malicious container can create a symbolic link to arbitrary files on the host via directory traversal (“../“). This flaw allows the container to read and write to arbitrary files on the host system.

Do I need to act?

1.7% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.1/10 High

NETWORK / LOW complexity

Affected Products (9)

Cri-O

Openshift Container Platform

Affected Vendors

Redhat Kubernetes

References (16)

https://access.redhat.com/errata/RHSA-2024:10818

Vendor Advisory https://access.redhat.com/errata/RHSA-2024:3676

Vendor Advisory https://access.redhat.com/errata/RHSA-2024:3700

Vendor Advisory https://access.redhat.com/errata/RHSA-2024:4008

https://access.redhat.com/errata/RHSA-2024:4159

Vendor Advisory https://access.redhat.com/errata/RHSA-2024:4486

Vendor Advisory https://access.redhat.com/security/cve/CVE-2024-5154

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=2280190

Vendor Advisory https://github.com/cri-o/cri-o/security/advisories/GHSA-j9hf-98c3-wrm8

Vendor Advisory https://access.redhat.com/errata/RHSA-2024:3676

Vendor Advisory https://access.redhat.com/errata/RHSA-2024:3700

Vendor Advisory https://access.redhat.com/errata/RHSA-2024:4008

Vendor Advisory https://access.redhat.com/errata/RHSA-2024:4486

Vendor Advisory https://access.redhat.com/security/cve/CVE-2024-5154

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=2280190

Vendor Advisory https://github.com/cri-o/cri-o/security/advisories/GHSA-j9hf-98c3-wrm8

/ 100

moderate-risk

Severity 28/34 · Critical

Exploitability 4/34 · Minimal

Exposure 15/34 · Moderate