{
  "threat_severity" : "Important",
  "public_date" : "2024-05-27T18:00:00Z",
  "bugzilla" : {
    "description" : "cri-o: malicious container can create symlink on host",
    "id" : "2280190",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2280190"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-22",
  "details" : [ "A flaw was found in cri-o. A malicious container can create a symbolic link to arbitrary files on the host via directory traversal (“../“). This flaw allows the container to read and write to arbitrary files on the host system.", "A flaw was found in cri-o. A malicious container can create a symbolic link to arbitrary files on the host via directory traversal (“../“). This flaw allows the container to read and write to arbitrary files on the host system." ],
  "statement" : "Red Hat OpenShift Container Platform (OCP) includes the vulnerable cri-o library, however it does not load untrusted container, therefore impact is reduced to Important.",
  "acknowledgement" : "Red Hat would like to thank Erik Sjölund (erik.sjolund@gmail.com) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4.12",
    "release_date" : "2024-06-27T00:00:00Z",
    "advisory" : "RHSA-2024:4008",
    "cpe" : "cpe:/a:redhat:openshift:4.12::el8",
    "package" : "cri-o-0:1.25.5-21.2.rhaos4.12.gita3eb75f.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.13",
    "release_date" : "2024-07-17T00:00:00Z",
    "advisory" : "RHSA-2024:4486",
    "cpe" : "cpe:/a:redhat:openshift:4.13::el8",
    "package" : "cri-o-0:1.26.5-18.2.rhaos4.13.git2e90133.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.14",
    "release_date" : "2024-06-13T00:00:00Z",
    "advisory" : "RHSA-2024:3700",
    "cpe" : "cpe:/a:redhat:openshift:4.14::el8",
    "package" : "cri-o-0:1.27.7-3.rhaos4.14.git674563e.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.15",
    "release_date" : "2024-06-11T00:00:00Z",
    "advisory" : "RHSA-2024:3676",
    "cpe" : "cpe:/a:redhat:openshift:4.15::el8",
    "package" : "cri-o-0:1.28.7-2.rhaos4.15.git111aec5.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.16",
    "release_date" : "2024-07-03T00:00:00Z",
    "advisory" : "RHSA-2024:4159",
    "cpe" : "cpe:/a:redhat:openshift:4.16::el8",
    "package" : "cri-o-0:1.29.5-7.rhaos4.16.git7db4ada.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.16",
    "release_date" : "2024-07-03T00:00:00Z",
    "advisory" : "RHSA-2024:4159",
    "cpe" : "cpe:/a:redhat:openshift:4.16::el8",
    "package" : "kernel-0:5.14.0-427.24.1.el9_4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.16",
    "release_date" : "2024-07-03T00:00:00Z",
    "advisory" : "RHSA-2024:4159",
    "cpe" : "cpe:/a:redhat:openshift:4.16::el8",
    "package" : "openshift-0:4.16.0-202406191607.p0.g58452d8.assembly.stream.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.17",
    "release_date" : "2024-12-11T00:00:00Z",
    "advisory" : "RHSA-2024:10818",
    "cpe" : "cpe:/a:redhat:openshift:4.17::el9",
    "package" : "rhcos-417.94.202412040832-0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "container-tools:rhel8/podman",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "conmon",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Out of support scope",
    "package_name" : "cri-o",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "rhcos",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-5154\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-5154\nhttps://github.com/cri-o/cri-o/security/advisories/GHSA-j9hf-98c3-wrm8" ],
  "name" : "CVE-2024-5154",
  "mitigation" : {
    "value" : "There is no mitigation available for this vulnerability, a package update is required.",
    "lang" : "en:us"
  },
  "csaw" : false
}