Cyber Resilience

CVE-2024-9676

Medium

Published: 15 October 2024

Published
15 October 2024
Modified
19 March 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0156 81.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-9676 is a medium-severity Path Traversal (CWE-22) vulnerability in Redhat Openshift Container Platform. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 18.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image…

more

using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). The containers/storage library will read /etc/passwd inside the container, but does not properly validate if that file is a symlink, which can be used to cause the library to read an arbitrary file on the host.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Symlink traversal in containers/storage library allows reading arbitrary host files via symlinked /etc/passwd during auto user namespace mapping, causing process hang and OOM kill for endpoint denial of service via application exploitation.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0048: External Harms

Affected Assets

redhat
openshift container platform
4.12, 4.13, 4.14, 4.15, 4.16
redhat
openshift container platform for arm64
4.12, 4.13, 4.14, 4.15, 4.16
redhat
openshift container platform for ibm z
4.12, 4.13, 4.14, 4.15, 4.16
redhat
openshift container platform for linuxone
4.12, 4.13, 4.14, 4.15, 4.16
redhat
openshift container platform for power
4.12, 4.13, 4.14, 4.15, 4.16
redhat
enterprise linux
9.0
redhat
enterprise linux eus
9.4
redhat
enterprise linux for arm 64
9.0_aarch64
redhat
enterprise linux for arm 64 eus
9.4_aarch64
redhat
enterprise linux for ibm z systems
9.0_s390x
+5 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References