Base Score

HIGH8.1

CVE-2024-5154

A flaw was found in cri-o. A malicious container can create a symbolic link to arbitrary files on the host via directory traversal (“../“). This flaw allows the container to read and write to arbitrary files on the host system.

VectorNETWORK

Published Bysecalert@redhat.com

Published DateJun 12, 2024, 09:15

Affected Versions(3)

github.com/cri-o/cri-o(Go)

Introduced1.28.6

Fixed1.28.7

LimitN/A

github.com/cri-o/cri-o(Go)

Introduced1.29.4

Fixed1.29.5

LimitN/A

github.com/cri-o/cri-o(Go)

Introduced1.30.0

Fixed1.30.1

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
github.com/cri-o/cri-o(Go)	1.28.6	1.28.7	N/A
github.com/cri-o/cri-o(Go)	1.29.4	1.29.5	N/A
github.com/cri-o/cri-o(Go)	1.30.0	1.30.1	N/A

Weakness Type (CWE):CWE-22

CVSS Metrics

Base Score

8.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

NONE

References

Base Score

HIGH8.1

Weakness Type (CWE):CWE-22

CVSS Metrics

Base Score

8.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

NONE