CVE-2024-9341: Podman/Buildah/CRI-O Container Escape via FIPS Crypto-Policy Mounting Issue

Key Information Vulnerability Description CVE Number: CVE-2024-9341 Vulnerability Name: Podman: Buildah: cri-o: FIPS Crypto-Policy Directory Mounting Issue in containers/common Go Library Report Date: 2024-09-30 15:47 UTC Reporter: OSIDB Bzimport Fix Date: 2024-10-01 18:12 UTC Fixed Version: Not specified Description: When FIPS mode is enabled, container runtimes (such as Podman, Buildah, and CRI-O) may mishandle certain file paths due to incorrect validation in the containers/common Go library. This allows attackers to exploit symbolic links and trick the system into mounting sensitive host directories into containers. Additionally, attackers can access critical files on the host, bypassing isolation between containers and the host system. Impact Scope Component: containers/common Go library Products: Podman, Buildah, and CRI-O Operating System: Linux Hardware: All hardware Priority: Medium Severity: Medium Additional Information Target Milestone: Not specified Assigned To: Product Security DevOps Team Documentation Contact: Not specified Dependencies: Not specified Blocks: Not specified Whiteboard: Not specified URL: Not specified Comments: Login required to comment or modify this vulnerability. Summary This vulnerability allows attackers to exploit container runtimes under FIPS mode, mounting sensitive host directories into containers and thereby accessing critical files on the host. The fixed version is not specified, but the issue has been confirmed and resolved. The affected component is the containers/common Go library, impacting Podman, Buildah, and CRI-O, on Linux operating systems, across all hardware, with both priority and severity rated as medium.

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2024-9341: Podman/Buildah/CRI-O Container Escape via FIPS Crypto-Policy Mounting Issue