VDB

RHSA-2025%3A3297

RHSA-2025%3A3297 PUBLISHED CVSS 7.400000095367432 HIGH

A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.

Risk Scores

CVSS 3.1
7.400000095367432
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products

VendorProductVersions
Red Hatopenshift4/ose-csi-external-provisioner-rhel9@sha256:e76c1a9c893c0aff2f63da557314126bcd57d57dfecdfc86ae8c54a7aefbe5af_ppc64le as a component of Red Hat OpenShift Container Platform 4.17openshift4/ose-csi-external-provisioner-rhel9@sha256:e76c1a9c893c0aff2f63da557314126bcd57d57dfecdfc86ae8c54a7aefbe5af_ppc64le
Red Hatopenshift4/ose-deployer-rhel9@sha256:9e021e16cd69f51f6fdeb960095ddabe86b91a229a421e2a14de7e9fe1dc0079_s390x as a component of Red Hat OpenShift Container Platform 4.17openshift4/ose-deployer-rhel9@sha256:9e021e16cd69f51f6fdeb960095ddabe86b91a229a421e2a14de7e9fe1dc0079_s390x
Red Hatopenshift4/ose-cluster-dns-rhel9-operator@sha256:f2c19c1ef80d986843a42bb60f0e45cc4bf934be572ec3c94871dc68bf105f8e_ppc64le as a component of Red Hat OpenShift Container Platform 4.17*
Red Hatopenshift4/ose-cluster-csi-snapshot-controller-rhel9-operator@sha256:7bbf0e539f413e5dd900435ff32fed9cc7c7c6fc53a6b90d3cc51192586343a6_amd64 as a component of Red Hat OpenShift Container Platform 4.17openshift4/ose-cluster-csi-snapshot-controller-rhel9-operator@sha256:7bbf0e539f413e5dd900435ff32fed9cc7c7c6fc53a6b90d3cc51192586343a6_amd64
Red Hatopenshift4/ose-prometheus-operator-admission-webhook-rhel9@sha256:c72a2935345f14d23e0b4e421354974b6b57d4f0c9e77b8022272b40fc16d2b7_s390x as a component of Red Hat OpenShift Container Platform 4.17*
Red Hatopenshift4/ose-aws-cluster-api-controllers-rhel9@sha256:5f05ac15ef7dc205d3205816e5968d74e6762332d5a4ead4625be478161c0de6_arm64 as a component of Red Hat OpenShift Container Platform 4.17openshift4/ose-aws-cluster-api-controllers-rhel9@sha256:5f05ac15ef7dc205d3205816e5968d74e6762332d5a4ead4625be478161c0de6_arm64
Red Hatopenshift4/ose-baremetal-runtimecfg-rhel9@sha256:2ca41d29fafcb0982e87532ad4bcf021c648664555ae1be4cd3774c49a1f2444_s390x as a component of Red Hat OpenShift Container Platform 4.17openshift4/ose-baremetal-runtimecfg-rhel9@sha256:2ca41d29fafcb0982e87532ad4bcf021c648664555ae1be4cd3774c49a1f2444_s390x
Red Hatopenshift4/ose-coredns-rhel9@sha256:bc471f69d33df100da2b930ae436da3bb978fd86d43704f4afb18e04ccd06f3e_s390x as a component of Red Hat OpenShift Container Platform 4.17openshift4/ose-coredns-rhel9@sha256:bc471f69d33df100da2b930ae436da3bb978fd86d43704f4afb18e04ccd06f3e_s390x
Red Hatopenshift4/ose-networking-console-plugin-rhel9@sha256:61f83ba78deaf0e104296d46b1b23a3cf22ce703aea182f5e899c98ef48eb412_s390x as a component of Red Hat OpenShift Container Platform 4.17openshift4/ose-networking-console-plugin-rhel9@sha256:61f83ba78deaf0e104296d46b1b23a3cf22ce703aea182f5e899c98ef48eb412_s390x
Red Hatopenshift4/cloud-network-config-controller-rhel9@sha256:b52946437bf63227a8dd9b22b069e61a9fa0bb9a5e4be7f5cedf3f55c4ec35cc_arm64 as a component of Red Hat OpenShift Container Platform 4.17*
Red Hatopenshift4/ose-cluster-bootstrap-rhel9@sha256:3c7654a40a54e62fa13277cdc9c4d79aef1ffc467cd3288ce2db5134de387985_arm64 as a component of Red Hat OpenShift Container Platform 4.17openshift4/ose-cluster-bootstrap-rhel9@sha256:3c7654a40a54e62fa13277cdc9c4d79aef1ffc467cd3288ce2db5134de387985_arm64
Red Hatopenshift4/ovirt-csi-driver-rhel9-operator@sha256:ad10c5c781c2ec18084139b7fc7e369a7f197f6ec9b464b54a0ac77ebd7709fb_amd64 as a component of Red Hat OpenShift Container Platform 4.17openshift4/ovirt-csi-driver-rhel9-operator@sha256:ad10c5c781c2ec18084139b7fc7e369a7f197f6ec9b464b54a0ac77ebd7709fb_amd64
Red Hatopenshift4/ose-cloud-credential-rhel9-operator@sha256:b35904e3a010256a73750eb8dfb185d81b12375a90c55cc30cc05c43cb4b2b86_amd64 as a component of Red Hat OpenShift Container Platform 4.17openshift4/ose-cloud-credential-rhel9-operator@sha256:b35904e3a010256a73750eb8dfb185d81b12375a90c55cc30cc05c43cb4b2b86_amd64
Red Hatopenshift4/ose-csi-driver-shared-resource-webhook-rhel9@sha256:156bee713e5c1e39172b14b99c66bb0a80a45d425ee58b1b631e005110a2bd26_amd64 as a component of Red Hat OpenShift Container Platform 4.17openshift4/ose-csi-driver-shared-resource-webhook-rhel9@sha256:156bee713e5c1e39172b14b99c66bb0a80a45d425ee58b1b631e005110a2bd26_amd64
Red Hatopenshift4/ose-operator-lifecycle-manager-rhel9@sha256:bb4eef9077ca6dd17e9e8dd92d5ef7aba12859f6510fe19564047dd4f4b810ee_ppc64le as a component of Red Hat OpenShift Container Platform 4.17openshift4/ose-operator-lifecycle-manager-rhel9@sha256:bb4eef9077ca6dd17e9e8dd92d5ef7aba12859f6510fe19564047dd4f4b810ee_ppc64le
Red Hatopenshift4/ose-openshift-controller-manager-rhel9@sha256:54eae4e13bf84e4400313581a9c1650763ced089bb063830f272e5c6a111c91d_ppc64le as a component of Red Hat OpenShift Container Platform 4.17openshift4/ose-openshift-controller-manager-rhel9@sha256:54eae4e13bf84e4400313581a9c1650763ced089bb063830f272e5c6a111c91d_ppc64le
Red Hatopenshift4/ose-machine-api-rhel9-operator@sha256:7c1966265800c8279bc94d13ffc5724df53045604945f79113041b9e61ad4df2_ppc64le as a component of Red Hat OpenShift Container Platform 4.17openshift4/ose-machine-api-rhel9-operator@sha256:7c1966265800c8279bc94d13ffc5724df53045604945f79113041b9e61ad4df2_ppc64le
Red Hatopenshift4/ose-machine-os-images-rhel9@sha256:6c04189876f5bd302ce07621420d3f5c6d7067395ce00a675d2f713bf8698a20_s390x as a component of Red Hat OpenShift Container Platform 4.17openshift4/ose-machine-os-images-rhel9@sha256:6c04189876f5bd302ce07621420d3f5c6d7067395ce00a675d2f713bf8698a20_s390x
Red Hatopenshift4/ose-oauth-proxy-rhel9@sha256:d42f59725fcbc69cef5d354a55d07f3dc37c6ce2956c6243b787b0402d7c7f63_amd64 as a component of Red Hat OpenShift Container Platform 4.17openshift4/ose-oauth-proxy-rhel9@sha256:d42f59725fcbc69cef5d354a55d07f3dc37c6ce2956c6243b787b0402d7c7f63_amd64
Red Hatopenshift4/ose-kube-proxy-rhel9@sha256:484bc5e0776b4d41829454b41d5cc682eb5b1317c0acfb564a1e4b0396401080_ppc64le as a component of Red Hat OpenShift Container Platform 4.17openshift4/ose-kube-proxy-rhel9@sha256:484bc5e0776b4d41829454b41d5cc682eb5b1317c0acfb564a1e4b0396401080_ppc64le

…and 632 more

Timeline

  • Apr 3, 2025 CVE Published
  • Apr 24, 2026 CVE Updated
  • Apr 24, 2026 Distribution Patch
  • Apr 24, 2026 Distribution Patch
  • Apr 24, 2026 Security Advisory
  • Apr 24, 2026 Security Advisory
  • Apr 24, 2026 Security Advisory
  • Apr 24, 2026 Security Advisory
Open in Interactive Console →
$ Console Community · 100/wk Open console ›