VulnerableCode Package Details - pkg:rpm/redhat/cri-o@1.27.6-2.rhaos4.14.gitb3bd0bf?arch=el8

Search for packages

Vulnerability	Summary	Fixed by
VCID-bq1t-9nnj-mkes Aliases: CVE-2024-28180 GHSA-c5q2-7r4c-mv6g	Go JOSE vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) ### Impact An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). Thanks to Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj) for reporting. ### Patches The problem is fixed in the following packages and versions: - github.com/go-jose/go-jose/v4 version 4.0.1 - github.com/go-jose/go-jose/v3 version 3.0.3 - gopkg.in/go-jose/go-jose.v2 version 2.6.3 The problem will not be fixed in the following package because the package is archived: - gopkg.in/square/go-jose.v2	There are no reported fixed by versions.
VCID-g3wj-7845-e3bs Aliases: CVE-2024-3154 GHSA-2cgq-h8xw-2v5j	CRI-O vulnerable to an arbitrary systemd property injection ### Impact On CRI-O, it looks like an arbitrary systemd property can be injected via a Pod annotation: ``` --- apiVersion: v1 kind: Pod metadata: name: poc-arbitrary-systemd-property-injection annotations: # I believe that ExecStart with an arbitrary command works here too, # but I haven't figured out how to marshalize the ExecStart struct to gvariant string. org.systemd.property.SuccessAction: "'poweroff-force'" spec: containers: - name: hello image: [quay.io/podman/hello](http://quay.io/podman/hello) ``` This means that any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system. Tested with CRI-O v1.24 on minikube. I didn't test the latest v1.29 because it is incompatible with minikube: https://github.com/kubernetes/minikube/pull/18367 Thanks to Cédric Clerget (GitHub ID @cclerget) for finding out that CRI-O just passes pod annotations to OCI annotations: https://github.com/opencontainers/runc/pull/3923#discussion_r1532292536 CRI-O has to filter out annotations that have the prefix "org.systemd.property." See also: - https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-annotations-in-configjson - https://github.com/opencontainers/runc/pull/4217 ### Workarounds Unfortunately, the only workarounds would involve an external mutating webhook to disallow these annotations ### References	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-bq1t-9nnj-mkes
Aliases:
CVE-2024-28180
GHSA-c5q2-7r4c-mv6g

Go JOSE vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) ### Impact An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). Thanks to Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj) for reporting. ### Patches The problem is fixed in the following packages and versions: - github.com/go-jose/go-jose/v4 version 4.0.1 - github.com/go-jose/go-jose/v3 version 3.0.3 - gopkg.in/go-jose/go-jose.v2 version 2.6.3 The problem will not be fixed in the following package because the package is archived: - gopkg.in/square/go-jose.v2

There are no reported fixed by versions.

VCID-g3wj-7845-e3bs
Aliases:
CVE-2024-3154
GHSA-2cgq-h8xw-2v5j

CRI-O vulnerable to an arbitrary systemd property injection ### Impact On CRI-O, it looks like an arbitrary systemd property can be injected via a Pod annotation: ``` --- apiVersion: v1 kind: Pod metadata: name: poc-arbitrary-systemd-property-injection annotations: # I believe that ExecStart with an arbitrary command works here too, # but I haven't figured out how to marshalize the ExecStart struct to gvariant string. org.systemd.property.SuccessAction: "'poweroff-force'" spec: containers: - name: hello image: [quay.io/podman/hello](http://quay.io/podman/hello) ``` This means that any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system. Tested with CRI-O v1.24 on minikube. I didn't test the latest v1.29 because it is incompatible with minikube: https://github.com/kubernetes/minikube/pull/18367 Thanks to Cédric Clerget (GitHub ID @cclerget) for finding out that CRI-O just passes pod annotations to OCI annotations: https://github.com/opencontainers/runc/pull/3923#discussion_r1532292536 CRI-O has to filter out annotations that have the prefix "org.systemd.property." See also: - https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-annotations-in-configjson - https://github.com/opencontainers/runc/pull/4217 ### Workarounds Unfortunately, the only workarounds would involve an external mutating webhook to disallow these annotations ### References

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:49:12.588971+00:00	RedHat Importer	Affected by	VCID-bq1t-9nnj-mkes	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28180.json	38.0.0
2026-04-01T13:48:05.915102+00:00	RedHat Importer	Affected by	VCID-g3wj-7845-e3bs	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-3154.json	38.0.0

2026-04-01T13:49:12.588971+00:00

RedHat Importer

Affected by

VCID-bq1t-9nnj-mkes

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28180.json

38.0.0

2026-04-01T13:48:05.915102+00:00

RedHat Importer

Affected by

VCID-g3wj-7845-e3bs

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-3154.json

38.0.0

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	4.0