CVE-2024-9341

Published: Oct 1, 2024Modified: Dec 11, 2024

8.2

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Exploitability: 2.8 / Impact: 4.7

Source: NVD

Description

A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.

Affected (9)

Products: Containers: Common · Redhat: Enterprise Linux, Openshift Container Platform

1 product

2 products

Enterprise Linux

Openshift Container Platform

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Containers Common	All versions

Configuration B

8 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux	Version 8.0
Redhat Enterprise Linux	Version 9.0
Redhat Openshift Container Platform	Version 4.12
Redhat Openshift Container Platform	Version 4.13
Redhat Openshift Container Platform	Version 4.14
Redhat Openshift Container Platform	Version 4.15
Redhat Openshift Container Platform	Version 4.16
Redhat Openshift Container Platform	Version 4.17

Related CWEs

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References (17)

https://access.redhat.com/errata/RHSA-2024:10147

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2024:10818

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2024:7925

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2024:8039

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2024:8112

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2024:8238

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2024:8263

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2024:8428

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2024:8690

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2024:8694

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2024:8846

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2024:9454

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2024:9459

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/security/cve/CVE-2024-9341

Source: secalert@redhat.com

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2315691

Source: secalert@redhat.com

Issue TrackingThird Party Advisory

https://github.com/containers/common/blob/384f77532f67afc8a73d8e0c4adb0d195df57714/pkg/subscriptions/subscriptions.go#L169

Source: secalert@redhat.com

Product

https://github.com/containers/common/blob/384f77532f67afc8a73d8e0c4adb0d195df57714/pkg/subscriptions/subscriptions.go#L349

Source: secalert@redhat.com

Product

Timeline

No history available yet.