πŸ” CVE Alert

CVE-2024-3154

HIGH 7.2

Cri-o: arbitrary command injection via pod annotation

CVSS Score
7.2
EPSS Score
0.0%
EPSS Percentile
0th

A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.

CWE CWE-77
Published Apr 26, 2024
Last Updated Nov 20, 2025
Stay Ahead of the Next One

Get instant alerts for

Be the first to know when new high vulnerabilities are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

Red Hat / Red Hat OpenShift Container Platform 4.12
All versions affected
Red Hat / Red Hat OpenShift Container Platform 4.13
All versions affected
Red Hat / Red Hat OpenShift Container Platform 4.14
All versions affected
Red Hat / Red Hat OpenShift Container Platform 4.15
All versions affected
Red Hat / Red Hat OpenShift Container Platform 3.11
All versions affected

References

NVD β†— CVE.org β†— EPSS Data β†—
access.redhat.com: https://access.redhat.com/errata/RHSA-2024:2669 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:2672 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:2784 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:3496 access.redhat.com: https://access.redhat.com/security/cve/CVE-2024-3154 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2272532 github.com: https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j github.com: https://github.com/opencontainers/runc/pull/4217 github.com: https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-annotations-in-configjson

Credits

Red Hat would like to thank Akihiro Suda and CΓ©dric Clerget for reporting this issue. Upstream acknowledges the CRI-O team as the original reporter.