Untriaged
Permalink
CVE-2024-3154
7.2 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): HIGH
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
Cri-o: arbitrary command injection via pod annotation
A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.
References
- https://access.redhat.com/security/cve/CVE-2024-3154 x_refsource_REDHAT vdb-entry
- RHBZ#2272532 issue-tracking x_refsource_REDHAT
- https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j
- https://github.com/opencontainers/runc/pull/4217
- https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-ann…
- RHSA-2024:2669 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2672 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2024-3154 x_refsource_REDHAT vdb-entry
- RHBZ#2272532 issue-tracking x_refsource_REDHAT
- https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j
- https://github.com/opencontainers/runc/pull/4217
- https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-ann…
- RHSA-2024:2784 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2024-3154 x_refsource_REDHAT vdb-entry
- RHBZ#2272532 issue-tracking x_refsource_REDHAT
- https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j
- https://github.com/opencontainers/runc/pull/4217
- https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-ann…
- RHSA-2024:2669 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2672 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2669 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2672 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2784 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2024-3154 x_refsource_REDHAT vdb-entry
- RHBZ#2272532 issue-tracking x_refsource_REDHAT
- https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j
- https://github.com/opencontainers/runc/pull/4217
- https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-ann…
- RHSA-2024:2669 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2672 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2784 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2024-3154 x_refsource_REDHAT vdb-entry
- RHBZ#2272532 issue-tracking x_refsource_REDHAT
- https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j
- https://github.com/opencontainers/runc/pull/4217
- https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-ann…
- RHSA-2024:2669 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2672 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2784 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2024-3154 x_refsource_REDHAT vdb-entry
- RHBZ#2272532 issue-tracking x_refsource_REDHAT
- https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j
- https://github.com/opencontainers/runc/pull/4217
- https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-ann…
- RHSA-2024:2672 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2784 x_refsource_REDHAT vendor-advisory
- RHSA-2024:3496 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2024-3154 x_refsource_REDHAT vdb-entry
- RHBZ#2272532 issue-tracking x_refsource_REDHAT
- https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j
- https://github.com/opencontainers/runc/pull/4217
- https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-ann…
- RHSA-2024:2669 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2669 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2672 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2784 x_refsource_REDHAT vendor-advisory
- RHSA-2024:3496 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2024-3154 x_refsource_REDHAT vdb-entry
- RHBZ#2272532 issue-tracking x_refsource_REDHAT
- https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j
- https://github.com/opencontainers/runc/pull/4217
- https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-ann…
- RHSA-2024:2669 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2024:2672 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2024:2784 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2024:3496 x_refsource_REDHAT vendor-advisory x_transferred
- https://access.redhat.com/security/cve/CVE-2024-3154 x_refsource_REDHAT vdb-entry x_transferred
- RHBZ#2272532 issue-tracking x_refsource_REDHAT x_transferred
- https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j x_transferred
- https://github.com/opencontainers/runc/pull/4217 x_transferred
- https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-ann… x_transferred
- RHSA-2024:2669 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2672 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2784 x_refsource_REDHAT vendor-advisory
- RHSA-2024:3496 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2024-3154 x_refsource_REDHAT vdb-entry
- RHBZ#2272532 issue-tracking x_refsource_REDHAT
- https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j
- https://github.com/opencontainers/runc/pull/4217
- https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-ann…
- RHSA-2024:2669 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2024:2672 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2024:2784 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2024:3496 x_refsource_REDHAT vendor-advisory x_transferred
- https://access.redhat.com/security/cve/CVE-2024-3154 x_refsource_REDHAT vdb-entry x_transferred
- RHBZ#2272532 issue-tracking x_refsource_REDHAT x_transferred
- https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j x_transferred
- https://github.com/opencontainers/runc/pull/4217 x_transferred
- https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-ann… x_transferred
- https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j
- https://github.com/opencontainers/runc/pull/4217
- https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-ann…
- RHSA-2024:2669 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2672 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2784 x_refsource_REDHAT vendor-advisory
- RHSA-2024:3496 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2024-3154 x_refsource_REDHAT vdb-entry
- RHBZ#2272532 issue-tracking x_refsource_REDHAT
- RHSA-2024:2669 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2024:2672 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2024:2784 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2024:3496 x_refsource_REDHAT vendor-advisory x_transferred
- https://access.redhat.com/security/cve/CVE-2024-3154 x_refsource_REDHAT vdb-entry x_transferred
- RHBZ#2272532 issue-tracking x_refsource_REDHAT x_transferred
- https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j x_transferred
- https://github.com/opencontainers/runc/pull/4217 x_transferred
- https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-ann… x_transferred
- RHSA-2024:2669 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2672 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2784 x_refsource_REDHAT vendor-advisory
- RHSA-2024:3496 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2024-3154 x_refsource_REDHAT vdb-entry
- RHBZ#2272532 issue-tracking x_refsource_REDHAT
- https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j
- https://github.com/opencontainers/runc/pull/4217
- https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-ann…
- RHSA-2024:2669 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2024:2672 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2024:2784 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2024:3496 x_refsource_REDHAT vendor-advisory x_transferred
- https://access.redhat.com/security/cve/CVE-2024-3154 x_refsource_REDHAT vdb-entry x_transferred
- RHBZ#2272532 issue-tracking x_refsource_REDHAT x_transferred
- https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j x_transferred
- https://github.com/opencontainers/runc/pull/4217 x_transferred
- https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-ann… x_transferred
- RHSA-2024:2669 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2672 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2784 x_refsource_REDHAT vendor-advisory
- RHSA-2024:3496 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2024-3154 x_refsource_REDHAT vdb-entry
- RHBZ#2272532 issue-tracking x_refsource_REDHAT
- https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j
- https://github.com/opencontainers/runc/pull/4217
- https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-ann…
- RHSA-2024:2669 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2024:2672 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2024:2784 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2024:3496 x_refsource_REDHAT vendor-advisory x_transferred
- https://access.redhat.com/security/cve/CVE-2024-3154 x_refsource_REDHAT vdb-entry x_transferred
- RHBZ#2272532 issue-tracking x_refsource_REDHAT x_transferred
- https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j x_transferred
- https://github.com/opencontainers/runc/pull/4217 x_transferred
- https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-ann… x_transferred
- RHSA-2024:2669 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2672 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2784 x_refsource_REDHAT vendor-advisory
- RHSA-2024:3496 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2024-3154 x_refsource_REDHAT vdb-entry
- RHBZ#2272532 issue-tracking x_refsource_REDHAT
- https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j
- https://github.com/opencontainers/runc/pull/4217
- https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-ann…
- RHSA-2024:2669 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2024:2672 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2024:2784 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2024:3496 x_refsource_REDHAT vendor-advisory x_transferred
- https://access.redhat.com/security/cve/CVE-2024-3154 x_refsource_REDHAT vdb-entry x_transferred
- RHBZ#2272532 issue-tracking x_refsource_REDHAT x_transferred
- https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j x_transferred
- https://github.com/opencontainers/runc/pull/4217 x_transferred
- https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-ann… x_transferred
- RHSA-2024:2669 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2672 x_refsource_REDHAT vendor-advisory
- RHSA-2024:2784 x_refsource_REDHAT vendor-advisory
- RHSA-2024:3496 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2024-3154 x_refsource_REDHAT vdb-entry
- RHBZ#2272532 issue-tracking x_refsource_REDHAT
- https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j
- https://github.com/opencontainers/runc/pull/4217
- https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-ann…
- RHSA-2024:2669 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2024:2672 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2024:2784 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2024:3496 x_refsource_REDHAT vendor-advisory x_transferred
- https://access.redhat.com/security/cve/CVE-2024-3154 x_refsource_REDHAT vdb-entry x_transferred
- RHBZ#2272532 issue-tracking x_refsource_REDHAT x_transferred
- https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j x_transferred
- https://github.com/opencontainers/runc/pull/4217 x_transferred
- https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-ann… x_transferred
Affected products
cri-o
- ==1.27.6
- ==1.28.6
- ==1.29.3
- ==1.28.5
- ==1.29.4
- ==1.30.0
- ==1.27.5
- *
Matching in nixpkgs
pkgs.cri-o
Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface
-
nixos-unstable -
- nixpkgs-unstable 1.34.0
pkgs.cri-o-unwrapped
Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface
-
nixos-unstable -
- nixpkgs-unstable 1.34.0
Package maintainers
-
@saschagrunert Sascha Grunert <mail@saschagrunert.de>
-
@vdemeester Vincent Demeester <vincent@sbr.pm>