CVE-2024-8676

Published: Nov 26, 2024

Modified: May 18, 2026

PUBLISHED

CVSS v3.1

7.4

HIGH

Description

A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.

Vendor	Product	Versions
Unknown	cri-o	affected `0 - < 1.29.11` affected `1.30.0 - < 1.30.8` affected `1.31.0 - < 1.31.3`
Red Hat	Red Hat OpenShift Container Platform 4.15	unaffected `0:1.28.11-7.rhaos4.15.gitc4c0556.el8 - < *`
Red Hat	Red Hat OpenShift Container Platform 4.16	unaffected `0:1.29.11-3.rhaos4.16.git16d9bd6.el8 - < *`
Red Hat	Red Hat OpenShift Container Platform 4.16	unaffected `416.94.202506251808-0 - < *`
Red Hat	Red Hat OpenShift Container Platform 4.17	unaffected `417.94.202503241418-0 - < *`
Red Hat	Red Hat OpenShift Container Platform 4.18	unaffected `0:1.31.5-5.rhaos4.18.git6dfa0a6.el8 - < *`
Red Hat	Red Hat OpenShift Container Platform 4.18	unaffected `418.94.202504231329-0 - < *`
Red Hat	Red Hat Enterprise Linux 8	All versions
Red Hat	Red Hat Enterprise Linux 8	All versions
Red Hat	Red Hat Enterprise Linux 9	All versions
Red Hat	Red Hat OpenShift Container Platform 3.11	All versions
Red Hat	Red Hat OpenShift Container Platform 4	All versions
Red Hat	Red Hat OpenShift Container Platform 4	All versions