{"id":"CVE-2024-5154","details":"A flaw was found in cri-o. A malicious container can create a symbolic link to arbitrary files on the host via directory traversal (“../“). This flaw allows the container to read and write to arbitrary files on the host system.","aliases":["GHSA-j9hf-98c3-wrm8","GO-2024-2919"],"modified":"2026-04-09T10:27:17.431943Z","published":"2024-06-12T09:15:19.973Z","related":["GHSA-j9hf-98c3-wrm8"],"references":[{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:4008"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:4159"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2024-5154"},{"type":"ADVISORY","url":"https://github.com/cri-o/cri-o/security/advisories/GHSA-j9hf-98c3-wrm8"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:10818"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:3676"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:3700"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:4486"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2280190"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/kubernetes-incubator/cri-o","events":[{"introduced":"0"},{"last_affected":"77bbb1c279801c7d5c88b39281e22c033ccde362"},{"introduced":"0"},{"last_affected":"51ea93e0b9af5ad2cfa7f8071ec48d99bf39a3ec"},{"introduced":"0"},{"last_affected":"d519447937c4711db9ad3e783ab2b8121b39b996"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.28.6"},{"introduced":"0"},{"last_affected":"1.29.4"},{"introduced":"0"},{"last_affected":"1.30.0"}]}}],"versions":["v0.0.0","v0.1","v0.2","v0.3","v1.0.0-alpha.0","v1.0.0-beta.0","v1.0.0-rc1","v1.18.0-rc1","v1.21.0","v1.22.0","v1.23.0","v1.24.0","v1.25.0","v1.26.0","v1.27.0","v1.28.0","v1.28.1","v1.28.2","v1.28.3","v1.28.4","v1.28.5","v1.28.6","v1.29.0","v1.29.1","v1.29.2","v1.29.3","v1.29.4","v1.30.0","v1.9.0-beta.1","v1.9.0-beta.2"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"3.11"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.12"}]},{"events":[{"introduced":"0"},{"last_affected":"4.13"}]},{"events":[{"introduced":"0"},{"last_affected":"4.14"}]},{"events":[{"introduced":"0"},{"last_affected":"4.15"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-5154.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"}]}