{"timestamp":"2024-11-26T21:01:28.945651Z","id":"CVE-2024-8676","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}

[{"defaultStatus":"unaffected","collectionURL":"https://github.com/cri-o/cri-o","packageName":"cri-o","versions":[{"version":"0","lessThan":"1.29.11","versionType":"semver","status":"affected"},{"version":"1.30.0","lessThan":"1.30.8","versionType":"semver","status":"affected"},{"version":"1.31.0","lessThan":"1.31.3","versionType":"semver","status":"affected"}]},{"vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.15","defaultStatus":"affected","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"cri-o","cpes":["cpe:/a:redhat:openshift:4.15::el8","cpe:/a:redhat:openshift:4.15::el9"],"versions":[{"version":"0:1.28.11-7.rhaos4.15.gitc4c0556.el8","lessThan":"*","versionType":"rpm","status":"unaffected"}]},{"vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.16","defaultStatus":"affected","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"cri-o","cpes":["cpe:/a:redhat:openshift:4.16::el8","cpe:/a:redhat:openshift:4.16::el9"],"versions":[{"version":"0:1.29.11-3.rhaos4.16.git16d9bd6.el8","lessThan":"*","versionType":"rpm","status":"unaffected"}]},{"vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.16","defaultStatus":"affected","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"rhcos","cpes":["cpe:/a:redhat:openshift:4.16::el9"],"versions":[{"version":"416.94.202506251808-0","lessThan":"*","versionType":"rpm","status":"unaffected"}]},{"vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.17","defaultStatus":"affected","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"rhcos","cpes":["cpe:/a:redhat:openshift:4.17::el9"],"versions":[{"version":"417.94.202503241418-0","lessThan":"*","versionType":"rpm","status":"unaffected"}]},{"vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4.18","defaultStatus":"affected","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName

https://access.redhat.com/errata/RHSA-2025:9765

https://access.redhat.com/errata/RHSA-2025:4211

https://access.redhat.com/errata/RHSA-2025:3297

https://access.redhat.com/errata/RHSA-2025:1908

https://access.redhat.com/errata/RHSA-2025:0648

https://access.redhat.com/errata/RHBA-2024:10826

A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-285

https://access.redhat.com/security/cve/CVE-2024-8676

https://bugzilla.redhat.com/show_bug.cgi?id=2313842