Products
Docker
Source
secalert@redhat.com
Tags
CVE-2024-9341 details
Published : Oct. 1, 2024, 7:15 p.m.
Last Modified : Oct. 1, 2024, 7:15 p.m.
Last Modified : Oct. 1, 2024, 7:15 p.m.
Description
A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.
CVSS Score
| 1 | 2 | 3 | 4 | 5.4 | 6 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-59 | Improper Link Resolution Before File Access ('Link Following') | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
Base Score
5.4
Exploitability Score
1.2
Impact Score
4.2
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
References
| URL | Source |
|---|---|
| https://access.redhat.com/security/cve/CVE-2024-9341 | secalert@redhat.com |
| https://bugzilla.redhat.com/show_bug.cgi?id=2315691 | secalert@redhat.com |
| https://github.com/containers/common/blob/384f77532f67afc8a73d8e0c4adb0d195df57714/pkg/subscriptions/subscriptions.go#L169 | secalert@redhat.com |
| https://github.com/containers/common/blob/384f77532f67afc8a73d8e0c4adb0d195df57714/pkg/subscriptions/subscriptions.go#L349 | secalert@redhat.com |
This website uses the NVD API, but is not approved or certified by it.