x/vulndb: potential Go vuln in github.com/cri-o/cri-o: GHSA-7p9f-6x8j-gxxp #3292

GoVulnBot · 2024-11-26T22:01:24Z

Advisory GHSA-7p9f-6x8j-gxxp references a vulnerability in the following Go modules:

Module
github.com/cri-o/cri-o

Description:

Impact

Patches

1.31.1, 1.30.6, 1.29.8

Workarounds

set enable_criu_support = false

References

Are there any links users can visit to find out more?

References:

ADVISORY: GHSA-7p9f-6x8j-gxxp
ADVISORY: GHSA-7p9f-6x8j-gxxp
ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-8676
FIX: cri-o/cri-o@e8e7dcb
WEB: https://access.redhat.com/security/cve/CVE-2024-8676
WEB: https://bugzilla.redhat.com/show_bug.cgi?id=2313842

Cross references:

github.com/cri-o/cri-o appears in 10 other report(s):
- data/reports/GO-2022-0354.yaml (x/vulndb: potential Go vuln in github.com/cri-o/cri-o: CVE-2022-0811 #354)
- data/reports/GO-2022-0363.yaml (x/vulndb: potential Go vuln in github.com/cri-o/cri-o: GHSA-w2j5-3rcx-vx7x #363)
- data/reports/GO-2022-0426.yaml (x/vulndb: potential Go vuln in github.com/cri-o/cri-o: CVE-2022-27652 #426)
- data/reports/GO-2022-0480.yaml (x/vulndb: potential Go vuln in github.com/cri-o/cri-o: CVE-2022-1708 #480)
- data/reports/GO-2022-0608.yaml (x/vulndb: potential Go vuln in github.com/cri-o/cri-o: GHSA-jqmc-79gx-7g8p #608)
- data/reports/GO-2022-1014.yaml (x/vulndb: potential Go vuln in github.com/cri-o/cri-o: CVE-2022-2995 #1014)
- data/reports/GO-2022-1206.yaml (x/vulndb: potential Go vuln in github.com/cri-o/cri-o: GHSA-cm9x-c3rh-7rc4 #1206)
- data/reports/GO-2024-2458.yaml (x/vulndb: potential Go vuln in github.com/cri-o/cri-o: GHSA-p4rx-7wvg-fwrc #2458)
- data/reports/GO-2024-2791.yaml (x/vulndb: potential Go vuln in github.com/cri-o/cri-o: CVE-2024-3154 #2791)
- data/reports/GO-2024-2919.yaml (x/vulndb: potential Go vuln in github.com/cri-o/cri-o: CVE-2024-5154 #2919)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/cri-o/cri-o
      versions:
        - introduced: 1.30.0
        - introduced: 1.31.0
      non_go_versions:
        - fixed: 1.29.11
        - fixed: 1.30.8
        - fixed: 1.31.3
      vulnerable_at: 1.31.2
summary: 'CRI-O: Maliciously structured checkpoint file can gain arbitrary node access in github.com/cri-o/cri-o'
cves:
    - CVE-2024-8676
ghsas:
    - GHSA-7p9f-6x8j-gxxp
references:
    - advisory: https://github.com/advisories/GHSA-7p9f-6x8j-gxxp
    - advisory: https://github.com/cri-o/cri-o/security/advisories/GHSA-7p9f-6x8j-gxxp
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-8676
    - fix: https://github.com/cri-o/cri-o/commit/e8e7dcb7838d11b5157976bf3e31a5840bb77de7
    - web: https://access.redhat.com/security/cve/CVE-2024-8676
    - web: https://bugzilla.redhat.com/show_bug.cgi?id=2313842
source:
    id: GHSA-7p9f-6x8j-gxxp
    created: 2024-11-26T22:01:24.604637589Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2024-12-04T16:14:34Z

Change https://go.dev/cl/633598 mentions this issue: data/reports: add 6 unreviewed reports

tatianab added the triaged label Nov 27, 2024

gopherbot closed this as completed in 9d72e77 Dec 4, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/cri-o/cri-o: GHSA-7p9f-6x8j-gxxp #3292

x/vulndb: potential Go vuln in github.com/cri-o/cri-o: GHSA-7p9f-6x8j-gxxp #3292

GoVulnBot commented Nov 26, 2024

gopherbot commented Dec 4, 2024

x/vulndb: potential Go vuln in github.com/cri-o/cri-o: GHSA-7p9f-6x8j-gxxp #3292

x/vulndb: potential Go vuln in github.com/cri-o/cri-o: GHSA-7p9f-6x8j-gxxp #3292

Comments

GoVulnBot commented Nov 26, 2024

Impact

Patches

Workarounds

References

gopherbot commented Dec 4, 2024