CVE-2024-9341

Aliases:GHSA-mc76-5925-c5p6GO-2024-3171

Advisory lineage Upstream: 0 Downstream: 26

Downstream

DEBIAN-CVE-2024-9341 MGASA-2024-0343 OPENSUSE-SU-2024:0350-1 OPENSUSE-SU-2024:14388-1 OPENSUSE-SU-2024:14390-1 OPENSUSE-SU-2024:14447-1

Modified

Published: 01 Oct 2024, 18:52

Last modified:19 Mar 2026, 17:19

Vulnerability Summary

Overall Risk (default)

medium

33/100

CVSS Score

8.2 HIGH

v3.1 (nvd)

EPSS Score

0.9% LOW

1% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

01 Oct 2024, 18:52

Published

Vulnerability first disclosed

19 Mar 2026, 17:19

Last Modified

Vulnerability information updated

Description

A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.

CVSS Metrics

v4.0•MEDIUM•Score: 5.8CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
v3.1•MEDIUM•Score: 5.4CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
v3.1•HIGH•Score: 8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

EPSS Trends

Current EPSS score: 0.90%• Percentile: 76%

Techniques & Countermeasures

CWE-59•Improper Link Resolution Before File Access ('Link Following')
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Affected Systems

github.com/containers•common
< 0.60.4
redhat•enterprise_linux
8.0 | 9.0
redhat•openshift_container_platform
4.12 | 4.13 | 4.14 | 4.15 | 4.16 | 4.17