Untriaged
Permalink
CVE-2024-8676
7.4 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): HIGH
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): NONE
Cri-o: checkpoint restore can be triggered from different namespaces
A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.
References
- RHBZ#2313842 issue-tracking x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2024-8676 x_refsource_REDHAT vdb-entry
- https://access.redhat.com/security/cve/CVE-2024-8676 x_refsource_REDHAT vdb-entry
- RHBZ#2313842 issue-tracking x_refsource_REDHAT
- RHBA-2024:10826 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2024-8676 x_refsource_REDHAT vdb-entry
- RHBZ#2313842 issue-tracking x_refsource_REDHAT
- RHBA-2024:10826 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2024-8676 x_refsource_REDHAT vdb-entry
- RHBZ#2313842 issue-tracking x_refsource_REDHAT
- RHBA-2024:10826 vendor-advisory x_refsource_REDHAT
- RHSA-2025:0648 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2024-8676 x_refsource_REDHAT vdb-entry
- RHBZ#2313842 issue-tracking x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2024-8676 x_refsource_REDHAT vdb-entry
- RHBZ#2313842 issue-tracking x_refsource_REDHAT
- RHBA-2024:10826 vendor-advisory x_refsource_REDHAT
- RHSA-2025:0648 vendor-advisory x_refsource_REDHAT
- RHBA-2024:10826 vendor-advisory x_refsource_REDHAT
- RHSA-2025:0648 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2024-8676 x_refsource_REDHAT vdb-entry
- RHBZ#2313842 issue-tracking x_refsource_REDHAT
- RHBA-2024:10826 vendor-advisory x_refsource_REDHAT
- RHSA-2025:0648 vendor-advisory x_refsource_REDHAT
- RHSA-2025:1908 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2024-8676 x_refsource_REDHAT vdb-entry
- RHBZ#2313842 issue-tracking x_refsource_REDHAT
- RHBA-2024:10826 vendor-advisory x_refsource_REDHAT
- RHSA-2025:0648 vendor-advisory x_refsource_REDHAT
- RHSA-2025:1908 vendor-advisory x_refsource_REDHAT
- RHSA-2025:3297 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2024-8676 x_refsource_REDHAT vdb-entry
- RHBZ#2313842 issue-tracking x_refsource_REDHAT
- RHBA-2024:10826 vendor-advisory x_refsource_REDHAT
- RHSA-2025:0648 vendor-advisory x_refsource_REDHAT
- RHSA-2025:1908 vendor-advisory x_refsource_REDHAT
- RHSA-2025:3297 vendor-advisory x_refsource_REDHAT
- RHSA-2025:4211 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2024-8676 x_refsource_REDHAT vdb-entry
- RHBZ#2313842 issue-tracking x_refsource_REDHAT
- RHBA-2024:10826 vendor-advisory x_refsource_REDHAT
- RHSA-2025:0648 vendor-advisory x_refsource_REDHAT
- RHSA-2025:1908 vendor-advisory x_refsource_REDHAT
- RHSA-2025:3297 vendor-advisory x_refsource_REDHAT
- RHSA-2025:4211 vendor-advisory x_refsource_REDHAT
- RHSA-2025:9765 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2024-8676 x_refsource_REDHAT vdb-entry
- RHBZ#2313842 issue-tracking x_refsource_REDHAT
- RHBA-2024:10826 vendor-advisory x_refsource_REDHAT
- RHSA-2025:0648 vendor-advisory x_refsource_REDHAT
- RHSA-2025:1908 vendor-advisory x_refsource_REDHAT
- RHSA-2025:3297 vendor-advisory x_refsource_REDHAT
- RHSA-2025:4211 vendor-advisory x_refsource_REDHAT
- RHSA-2025:9765 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2024-8676 x_refsource_REDHAT vdb-entry
- RHBZ#2313842 issue-tracking x_refsource_REDHAT
- RHBA-2024:10826 vendor-advisory x_refsource_REDHAT
- RHSA-2025:0648 vendor-advisory x_refsource_REDHAT
- RHSA-2025:1908 vendor-advisory x_refsource_REDHAT
- RHSA-2025:3297 vendor-advisory x_refsource_REDHAT
- RHSA-2025:4211 vendor-advisory x_refsource_REDHAT
- RHSA-2025:9765 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2024-8676 x_refsource_REDHAT vdb-entry
- RHBZ#2313842 issue-tracking x_refsource_REDHAT
- RHBA-2024:10826 vendor-advisory x_refsource_REDHAT
- RHSA-2025:0648 vendor-advisory x_refsource_REDHAT
- RHSA-2025:1908 vendor-advisory x_refsource_REDHAT
- RHSA-2025:3297 vendor-advisory x_refsource_REDHAT
- RHSA-2025:4211 vendor-advisory x_refsource_REDHAT
- RHSA-2025:9765 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2024-8676 x_refsource_REDHAT vdb-entry
- RHBZ#2313842 issue-tracking x_refsource_REDHAT
Affected products
cri-o
- <1.31.3
- <1.30.8
- <1.29.11
- *
rhcos
- *
conmon
container-tools:rhel8/conmon
container-tools:rhel8/podman
Matching in nixpkgs
pkgs.cri-o
Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface
-
nixos-unstable -
- nixpkgs-unstable 1.34.0
pkgs.conmon-rs
OCI container runtime monitor written in Rust
-
nixos-unstable -
- nixpkgs-unstable 0.7.2
pkgs.cri-o-unwrapped
Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface
-
nixos-unstable -
- nixpkgs-unstable 1.34.0
Package maintainers
-
@vdemeester Vincent Demeester <vincent@sbr.pm>
-
@saschagrunert Sascha Grunert <mail@saschagrunert.de>