What is CVE-2024-5154?

CVE-2024-5154 is a high-severity vulnerability in Kubernetes Cri-o, classified under Path Traversal. CVSS score: 8.1/10. Published 2024-06-12.

How severe is CVE-2024-5154?

High severity. CVSS v3 base score is 8.1 out of 10.

Is CVE-2024-5154 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Path Traversal in Kubernetes Cri-o

CVE-2024-5154

A flaw was found in cri-o. A malicious container can create a symbolic link to arbitrary files on the host via directory traversal (“../“). This flaw allows the container to read and write to arbitrary files on the host system.

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.012 (65.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.1 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N.

Affected products

Kubernetes Cri-o — versions 1.28.6, 1.29.4, 1.30.0
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9
Red Hat Openshift Container Platform 3.11
Red Hat Openshift Container Platform 4
Red Hat Openshift Container Platform 4.12 — versions 0:1.25.5-21.2.rhaos4.12.gita3eb75f.el8
Red Hat Openshift Container Platform 4.13 — versions 0:1.26.5-18.2.rhaos4.13.git2e90133.el8
Red Hat Openshift Container Platform 4.14 — versions 0:1.27.7-3.rhaos4.14.git674563e.el8
Red Hat Openshift Container Platform 4.15 — versions 0:1.28.7-2.rhaos4.15.git111aec5.el9
Red Hat Openshift Container Platform 4.16 — versions 0:1.29.5-7.rhaos4.16.git7db4ada.el8, 0:5.14.0-427.24.1.el9_4, 0:4.16.0-202406191607.p0.g58452d8.assembly.stream.el8

Weakness classification (CWE)

CWE-22 — Path Traversal

Public proof-of-concept exploits

fkie-cad/nvd-json-data-feeds

References

secalert@redhat.com (x_refsource_REDHAT, vendor-advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory, Vendor Advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory, Vendor Advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory, Vendor Advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory, Vendor Advisory)
secalert@redhat.com (x_refsource_REDHAT, vdb-entry, Vendor Advisory)
secalert@redhat.com (x_refsource_REDHAT, issue-tracking, Issue Tracking)
secalert@redhat.com (Vendor Advisory)

Frequently asked questions

What is CVE-2024-5154?: CVE-2024-5154 is a high-severity vulnerability in Kubernetes Cri-o, classified under Path Traversal. CVSS score: 8.1/10. Published 2024-06-12.
How severe is CVE-2024-5154?: High severity. CVSS v3 base score is 8.1 out of 10.
Is CVE-2024-5154 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.