Bug 2313842 (CVE-2024-8676) - CVE-2024-8676 cri-o: Checkpoint restore can be triggered from different namespaces Key Information: Bug ID: 2313842 CVE ID: CVE-2024-8676 Product: Security Response Component: vulnerability Version: unspecified Severity: medium Status: NEW Reported: 2024-09-20 20:15 UTC by OSIDB Bzimport Modified: 2024-11-26 18:23 UTC Assignee: Product Security DevOps Team Doc Type: If docs needed, set a value Doc Text: A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore. Additional Information: Target Milestone: --- Environment: --- Last Closed: --- Embargoed: --- Attachments: A checkpoint restore for namespace B can be triggered from namespace A breaking pods security contexts. Note: You need to log in before you can comment on or make changes to this bug.