CVE-2024-3154

A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/3xxx/CVE-2024-3154.json",
    "cna_assigner": "redhat",
    "cwe_ids": [
        "CWE-77"
    ]
}

References

Affected packages

Git / github.com/cri-o/cri-o

Affected ranges

Type

GIT

Repo

https://github.com/cri-o/cri-o

Events

Introduced

Last affected

be29f54234bd63c77ccfb55863a8a8e251de65bf

Last affected

108c065f0fb105c8a70fa9d52b91678c261665a4

Last affected

12c618780c42414d92d6a8dc8d09c16337668eb2

Database specific

{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.27.5"
        },
        {
            "last_affected": "1.28.5"
        },
        {
            "last_affected": "1.29.3"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

v0.*

v0.0.0

v0.1

v0.2

v0.3

v1.*

v1.0.0-alpha.0

v1.0.0-beta.0

v1.0.0-rc1

v1.18.0-rc1

v1.21.0

v1.22.0

v1.23.0

v1.24.0

v1.25.0

v1.26.0

v1.27.0

v1.27.1

v1.27.2

v1.27.3

v1.27.4

v1.27.5

v1.28.0

v1.28.1

v1.28.2

v1.28.3

v1.28.4

v1.28.5

v1.29.1

v1.29.2

v1.29.3

v1.9.0-beta.1

v1.9.0-beta.2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-3154.json"