High severity7.2GHSA Advisory· Published Apr 26, 2024· Updated Apr 15, 2026
CVE-2024-3154
CVE-2024-3154
Description
A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/cri-o/cri-oGo | >= 1.29.0, < 1.29.4 | 1.29.4 |
github.com/cri-o/cri-oGo | >= 1.28.0, < 1.28.6 | 1.28.6 |
github.com/cri-o/cri-oGo | < 1.27.6 | 1.27.6 |
Affected products
104- osv-coords103 versionspkg:apk/chainguard/buildahpkg:apk/chainguard/cadvisorpkg:apk/chainguard/cadvisor-compatpkg:apk/chainguard/cadvisor-fipspkg:apk/chainguard/ctoppkg:apk/chainguard/grypepkg:apk/chainguard/ingress-nginx-controller-compat-fips-1.9pkg:apk/chainguard/ingress-nginx-controller-fips-1.9pkg:apk/chainguard/kubeadm-1.28pkg:apk/chainguard/kubeadm-1.28-defaultpkg:apk/chainguard/kubeadm-fips-1.28pkg:apk/chainguard/kubeadm-fips-1.28-defaultpkg:apk/chainguard/kubeadm-fips-1.29pkg:apk/chainguard/kubeadm-fips-1.29-defaultpkg:apk/chainguard/kube-apiserver-1.28pkg:apk/chainguard/kube-apiserver-1.28-defaultpkg:apk/chainguard/kube-apiserver-fips-1.28pkg:apk/chainguard/kube-apiserver-fips-1.28-defaultpkg:apk/chainguard/kube-apiserver-fips-1.29pkg:apk/chainguard/kube-apiserver-fips-1.29-defaultpkg:apk/chainguard/kube-controller-manager-1.28pkg:apk/chainguard/kube-controller-manager-1.28-defaultpkg:apk/chainguard/kube-controller-manager-fips-1.28pkg:apk/chainguard/kube-controller-manager-fips-1.28-defaultpkg:apk/chainguard/kube-controller-manager-fips-1.29pkg:apk/chainguard/kube-controller-manager-fips-1.29-defaultpkg:apk/chainguard/kubectl-1.28pkg:apk/chainguard/kubectl-1.28-bitnami-compatpkg:apk/chainguard/kubectl-1.28-defaultpkg:apk/chainguard/kubectl-bash-completion-1.28pkg:apk/chainguard/kubectl-bash-completion-fips-1.28pkg:apk/chainguard/kubectl-bash-completion-fips-1.29pkg:apk/chainguard/kubectl-fips-1.28pkg:apk/chainguard/kubectl-fips-1.28-defaultpkg:apk/chainguard/kubectl-fips-1.29pkg:apk/chainguard/kubectl-fips-1.29-defaultpkg:apk/chainguard/kubelet-1.28pkg:apk/chainguard/kubelet-1.28-defaultpkg:apk/chainguard/kubelet-fips-1.28pkg:apk/chainguard/kubelet-fips-1.28-defaultpkg:apk/chainguard/kubelet-fips-1.29pkg:apk/chainguard/kubelet-fips-1.29-defaultpkg:apk/chainguard/kube-proxy-1.28pkg:apk/chainguard/kube-proxy-1.28-defaultpkg:apk/chainguard/kube-proxy-1.28-default-compatpkg:apk/chainguard/kube-proxy-fips-1.28pkg:apk/chainguard/kube-proxy-fips-1.28-defaultpkg:apk/chainguard/kube-proxy-fips-1.29pkg:apk/chainguard/kube-proxy-fips-1.29-defaultpkg:apk/chainguard/kubernetes-1.28pkg:apk/chainguard/kubernetes-1.28-defaultpkg:apk/chainguard/kubernetes-fips-1.28pkg:apk/chainguard/kubernetes-fips-1.28-defaultpkg:apk/chainguard/kubernetes-fips-1.29pkg:apk/chainguard/kubernetes-fips-1.29-defaultpkg:apk/chainguard/kubernetes-pause-1.28pkg:apk/chainguard/kubernetes-pause-compat-1.28pkg:apk/chainguard/kubernetes-pause-fips-3.9pkg:apk/chainguard/kube-scheduler-1.28pkg:apk/chainguard/kube-scheduler-1.28-defaultpkg:apk/chainguard/kube-scheduler-fips-1.28pkg:apk/chainguard/kube-scheduler-fips-1.28-defaultpkg:apk/chainguard/kube-scheduler-fips-1.29pkg:apk/chainguard/kube-scheduler-fips-1.29-defaultpkg:apk/chainguard/kube-webhook-certgen-fips-1.9pkg:apk/chainguard/neuvector-scannerpkg:apk/chainguard/neuvector-scanner-monitorpkg:apk/chainguard/neuvector-scanner-taskpkg:apk/chainguard/newrelic-infrastructure-agent-1.43pkg:apk/chainguard/opentelemetry-collector-contribpkg:apk/chainguard/opentelemetry-collector-contrib-compatpkg:apk/chainguard/opentelemetry-collector-contrib-fipspkg:apk/chainguard/wolfictlpkg:apk/wolfi/buildahpkg:apk/wolfi/cadvisorpkg:apk/wolfi/cadvisor-compatpkg:apk/wolfi/ctoppkg:apk/wolfi/grypepkg:apk/wolfi/kubeadm-1.28pkg:apk/wolfi/kubeadm-1.28-defaultpkg:apk/wolfi/kube-apiserver-1.28pkg:apk/wolfi/kube-apiserver-1.28-defaultpkg:apk/wolfi/kube-controller-manager-1.28pkg:apk/wolfi/kube-controller-manager-1.28-defaultpkg:apk/wolfi/kubectl-1.28pkg:apk/wolfi/kubectl-1.28-defaultpkg:apk/wolfi/kubectl-bash-completion-1.28pkg:apk/wolfi/kubelet-1.28pkg:apk/wolfi/kubelet-1.28-defaultpkg:apk/wolfi/kube-proxy-1.28pkg:apk/wolfi/kube-proxy-1.28-defaultpkg:apk/wolfi/kubernetes-1.28pkg:apk/wolfi/kubernetes-1.28-defaultpkg:apk/wolfi/kube-scheduler-1.28pkg:apk/wolfi/kube-scheduler-1.28-defaultpkg:apk/wolfi/neuvector-scannerpkg:apk/wolfi/neuvector-scanner-monitorpkg:apk/wolfi/neuvector-scanner-taskpkg:apk/wolfi/opentelemetry-collector-contribpkg:apk/wolfi/opentelemetry-collector-contrib-compatpkg:apk/wolfi/wolfictlpkg:golang/github.com/cri-o/cri-opkg:rpm/opensuse/grype&distro=openSUSE%20Tumbleweed
< 1.35.3-r1+ 102 more
- (no CPE)range: < 1.35.3-r1
- (no CPE)range: < 0.52.1-r3
- (no CPE)range: < 0.52.1-r3
- (no CPE)range: < 0.49.1-r5
- (no CPE)range: < 0.7.7-r23
- (no CPE)range: < 0.90.0-r1
- (no CPE)range: < 1.9.6-r1
- (no CPE)range: < 1.9.6-r1
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r9
- (no CPE)range: < 1.28.15-r9
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r9
- (no CPE)range: < 1.28.15-r9
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r9
- (no CPE)range: < 1.28.15-r9
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r9
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.28.15-r9
- (no CPE)range: < 1.28.15-r9
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r9
- (no CPE)range: < 1.28.15-r9
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r9
- (no CPE)range: < 1.28.15-r9
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r9
- (no CPE)range: < 1.28.15-r9
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r9
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r9
- (no CPE)range: < 1.28.15-r9
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.29.15-r2
- (no CPE)range: < 1.9.6-r1
- (no CPE)range: < 0_git20240528-r10
- (no CPE)range: < 0_git20240528-r10
- (no CPE)range: < 0_git20240528-r10
- (no CPE)range: < 1.43.2-r9
- (no CPE)range: < 0.122.0-r1
- (no CPE)range: < 0.122.0-r1
- (no CPE)range: < 0.99.0-r1
- (no CPE)range: < 0.16.6-r1
- (no CPE)range: < 1.35.3-r1
- (no CPE)range: < 0.52.1-r3
- (no CPE)range: < 0.52.1-r3
- (no CPE)range: < 0.7.7-r23
- (no CPE)range: < 0.90.0-r1
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 1.28.15-r11
- (no CPE)range: < 0_git20240528-r10
- (no CPE)range: < 0_git20240528-r10
- (no CPE)range: < 0_git20240528-r10
- (no CPE)range: < 0.122.0-r1
- (no CPE)range: < 0.122.0-r1
- (no CPE)range: < 0.16.6-r1
- (no CPE)range: >= 1.29.0, < 1.29.4
- (no CPE)range: < 0.80.1-1.1
Patches
Vulnerability mechanics
References
11- github.com/advisories/GHSA-2cgq-h8xw-2v5jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-3154ghsaADVISORY
- access.redhat.com/security/cve/CVE-2024-3154nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5jnvdWEB
- github.com/opencontainers/runc/pull/4217nvdWEB
- github.com/opencontainers/runtime-spec/blob/main/features.mdnvdWEB
- access.redhat.com/errata/RHSA-2024:2669nvd
- access.redhat.com/errata/RHSA-2024:2672nvd
- access.redhat.com/errata/RHSA-2024:2784nvd
- access.redhat.com/errata/RHSA-2024:3496nvd
News mentions
0No linked articles in our index yet.