Lucene search

[email protected]NVD:CVE-2024-3154

HistoryApr 26, 2024 - 4:15 a.m.

CVE-2024-3154

2024-04-2604:15:09

CWE-77

[email protected]

web.nvd.nist.gov

cri-o

systemd property

injection

pod annotation

arbitrary action

host system

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.2 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.0%

JSON

A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.

References

access.redhat.com/errata/RHSA-2024:2669

access.redhat.com/errata/RHSA-2024:2672

access.redhat.com/errata/RHSA-2024:2784

access.redhat.com/errata/RHSA-2024:3496

access.redhat.com/security/cve/CVE-2024-3154

bugzilla.redhat.com/show_bug.cgi?id=2272532

github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j

github.com/opencontainers/runc/pull/4217

github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-annotations-in-configjson

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.2 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.0%

JSON

Related for NVD:CVE-2024-3154

veracode1 redos1 github1 cvelist1 osv3 cbl_mariner1 wolfi1 cve1 cgr1 redhatcve1 nessus6 vulnrichment1 redhat5