VulnerableCode Package Details - pkg:rpm/redhat/cri-o@1.26.5-16.2.rhaos4.13.git67e2a9d?arch=el8

Search for packages

Vulnerability	Summary	Fixed by
VCID-g3wj-7845-e3bs Aliases: CVE-2024-3154 GHSA-2cgq-h8xw-2v5j	CRI-O vulnerable to an arbitrary systemd property injection ### Impact On CRI-O, it looks like an arbitrary systemd property can be injected via a Pod annotation: ``` --- apiVersion: v1 kind: Pod metadata: name: poc-arbitrary-systemd-property-injection annotations: # I believe that ExecStart with an arbitrary command works here too, # but I haven't figured out how to marshalize the ExecStart struct to gvariant string. org.systemd.property.SuccessAction: "'poweroff-force'" spec: containers: - name: hello image: [quay.io/podman/hello](http://quay.io/podman/hello) ``` This means that any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system. Tested with CRI-O v1.24 on minikube. I didn't test the latest v1.29 because it is incompatible with minikube: https://github.com/kubernetes/minikube/pull/18367 Thanks to Cédric Clerget (GitHub ID @cclerget) for finding out that CRI-O just passes pod annotations to OCI annotations: https://github.com/opencontainers/runc/pull/3923#discussion_r1532292536 CRI-O has to filter out annotations that have the prefix "org.systemd.property." See also: - https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-annotations-in-configjson - https://github.com/opencontainers/runc/pull/4217 ### Workarounds Unfortunately, the only workarounds would involve an external mutating webhook to disallow these annotations ### References	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-g3wj-7845-e3bs
Aliases:
CVE-2024-3154
GHSA-2cgq-h8xw-2v5j

CRI-O vulnerable to an arbitrary systemd property injection ### Impact On CRI-O, it looks like an arbitrary systemd property can be injected via a Pod annotation: ``` --- apiVersion: v1 kind: Pod metadata: name: poc-arbitrary-systemd-property-injection annotations: # I believe that ExecStart with an arbitrary command works here too, # but I haven't figured out how to marshalize the ExecStart struct to gvariant string. org.systemd.property.SuccessAction: "'poweroff-force'" spec: containers: - name: hello image: [quay.io/podman/hello](http://quay.io/podman/hello) ``` This means that any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system. Tested with CRI-O v1.24 on minikube. I didn't test the latest v1.29 because it is incompatible with minikube: https://github.com/kubernetes/minikube/pull/18367 Thanks to Cédric Clerget (GitHub ID @cclerget) for finding out that CRI-O just passes pod annotations to OCI annotations: https://github.com/opencontainers/runc/pull/3923#discussion_r1532292536 CRI-O has to filter out annotations that have the prefix "org.systemd.property." See also: - https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-annotations-in-configjson - https://github.com/opencontainers/runc/pull/4217 ### Workarounds Unfortunately, the only workarounds would involve an external mutating webhook to disallow these annotations ### References

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:48:05.933473+00:00	RedHat Importer	Affected by	VCID-g3wj-7845-e3bs	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-3154.json	38.0.0

2026-04-01T13:48:05.933473+00:00

RedHat Importer

Affected by

VCID-g3wj-7845-e3bs

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-3154.json

38.0.0

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	4.0