Vulnerabilites related to linuxfoundation - containerd
cve-2020-15257
Vulnerability from cvelistv5
Published
2020-12-01 02:30
Modified
2024-08-04 13:15
Severity ?
EPSS score ?
Summary
containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the "host" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4 | x_refsource_CONFIRM | |
| https://github.com/containerd/containerd/commit/4a4bb851f5da563ff6e68a83dc837c7699c469ad | x_refsource_MISC | |
| https://github.com/containerd/containerd/releases/tag/v1.4.3 | x_refsource_MISC | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNKXLOLZWO5FMAPX63ZL7JNKTNNT5NQD/ | vendor-advisory, x_refsource_FEDORA | |
| https://www.debian.org/security/2021/dsa-4865 | vendor-advisory, x_refsource_DEBIAN | |
| https://security.gentoo.org/glsa/202105-33 | vendor-advisory, x_refsource_GENTOO |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| containerd | containerd |
Version: < 1.3.9 Version: >= 1.4.0, < 1.4.3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T13:15:19.030Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/containerd/containerd/commit/4a4bb851f5da563ff6e68a83dc837c7699c469ad", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/containerd/containerd/releases/tag/v1.4.3", }, { name: "FEDORA-2020-baeb8dbaea", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNKXLOLZWO5FMAPX63ZL7JNKTNNT5NQD/", }, { name: "DSA-4865", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2021/dsa-4865", }, { name: "GLSA-202105-33", tags: [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred", ], url: "https://security.gentoo.org/glsa/202105-33", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "containerd", vendor: "containerd", versions: [ { status: "affected", version: "< 1.3.9", }, { status: "affected", version: ">= 1.4.0, < 1.4.3", }, ], }, ], descriptions: [ { lang: "en", value: "containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the \"host\" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-669", description: "CWE-669 Incorrect Resource Transfer Between Spheres", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-05-26T11:08:46", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/containerd/containerd/commit/4a4bb851f5da563ff6e68a83dc837c7699c469ad", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/containerd/containerd/releases/tag/v1.4.3", }, { name: "FEDORA-2020-baeb8dbaea", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNKXLOLZWO5FMAPX63ZL7JNKTNNT5NQD/", }, { name: "DSA-4865", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2021/dsa-4865", }, { name: "GLSA-202105-33", tags: [ "vendor-advisory", "x_refsource_GENTOO", ], url: "https://security.gentoo.org/glsa/202105-33", }, ], source: { advisory: "GHSA-36xw-fx78-c5r4", discovery: "UNKNOWN", }, title: "containerd-shim API Exposed to Host Network Containers", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2020-15257", STATE: "PUBLIC", TITLE: "containerd-shim API Exposed to Host Network Containers", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "containerd", version: { version_data: [ { version_value: "< 1.3.9", }, { version_value: ">= 1.4.0, < 1.4.3", }, ], }, }, ], }, vendor_name: "containerd", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the \"host\" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container.", }, ], }, impact: { cvss: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-669 Incorrect Resource Transfer Between Spheres", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4", refsource: "CONFIRM", url: "https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4", }, { name: "https://github.com/containerd/containerd/commit/4a4bb851f5da563ff6e68a83dc837c7699c469ad", refsource: "MISC", url: "https://github.com/containerd/containerd/commit/4a4bb851f5da563ff6e68a83dc837c7699c469ad", }, { name: "https://github.com/containerd/containerd/releases/tag/v1.4.3", refsource: "MISC", url: "https://github.com/containerd/containerd/releases/tag/v1.4.3", }, { name: "FEDORA-2020-baeb8dbaea", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNKXLOLZWO5FMAPX63ZL7JNKTNNT5NQD/", }, { name: "DSA-4865", refsource: "DEBIAN", url: "https://www.debian.org/security/2021/dsa-4865", }, { name: "GLSA-202105-33", refsource: "GENTOO", url: "https://security.gentoo.org/glsa/202105-33", }, ], }, source: { advisory: "GHSA-36xw-fx78-c5r4", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2020-15257", datePublished: "2020-12-01T02:30:16", dateReserved: "2020-06-25T00:00:00", dateUpdated: "2024-08-04T13:15:19.030Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-41103
Vulnerability from cvelistv5
Published
2021-10-04 00:00
Modified
2024-08-04 02:59
Severity ?
EPSS score ?
Summary
containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This vulnerability has been fixed in containerd 1.4.11 and containerd 1.5.7. Users should update to these version when they are released and may restart containers or update directory permissions to mitigate the vulnerability. Users unable to update should limit access to the host to trusted users. Update directory permission on container bundles directories.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| containerd | containerd |
Version: < 1.4.11 Version: >= 1.5.0, < 1.5.7 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T02:59:31.538Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq", }, { tags: [ "x_transferred", ], url: "https://github.com/containerd/containerd/commit/5b46e404f6b9f661a205e28d59c982d3634148f8", }, { name: "FEDORA-2021-df975338d4", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/", }, { name: "FEDORA-2021-b5a9a481a2", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/", }, { name: "DSA-5002", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2021/dsa-5002", }, { tags: [ "x_transferred", ], url: "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf", }, { name: "GLSA-202401-31", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security.gentoo.org/glsa/202401-31", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "containerd", vendor: "containerd", versions: [ { status: "affected", version: "< 1.4.11", }, { status: "affected", version: ">= 1.5.0, < 1.5.7", }, ], }, ], descriptions: [ { lang: "en", value: "containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This vulnerability has been fixed in containerd 1.4.11 and containerd 1.5.7. Users should update to these version when they are released and may restart containers or update directory permissions to mitigate the vulnerability. Users unable to update should limit access to the host to trusted users. Update directory permission on container bundles directories.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-31T13:06:20.094638", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { url: "https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq", }, { url: "https://github.com/containerd/containerd/commit/5b46e404f6b9f661a205e28d59c982d3634148f8", }, { name: "FEDORA-2021-df975338d4", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/", }, { name: "FEDORA-2021-b5a9a481a2", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/", }, { name: "DSA-5002", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2021/dsa-5002", }, { url: "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf", }, { name: "GLSA-202401-31", tags: [ "vendor-advisory", ], url: "https://security.gentoo.org/glsa/202401-31", }, ], source: { advisory: "GHSA-c2h3-6mxw-7mvq", discovery: "UNKNOWN", }, title: "Insufficiently restricted permissions on plugin directories", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2021-41103", datePublished: "2021-10-04T00:00:00", dateReserved: "2021-09-15T00:00:00", dateUpdated: "2024-08-04T02:59:31.538Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-31030
Vulnerability from cvelistv5
Published
2022-06-06 00:00
Modified
2024-08-03 07:03
Severity ?
EPSS score ?
Summary
containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| containerd | containerd |
Version: < 1.5.13 Version: >= 1.6.0, < 1.6.6 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T07:03:40.336Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf", }, { tags: [ "x_transferred", ], url: "https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382", }, { name: "[oss-security] 20220606 CVE-2022-31030: containerd CRI plugin: Host memory exhaustion through ExecSync", tags: [ "mailing-list", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2022/06/07/1", }, { name: "DSA-5162", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5162", }, { name: "FEDORA-2022-725ac93b48", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD/", }, { name: "FEDORA-2022-1da581ac6d", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO/", }, { name: "GLSA-202401-31", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security.gentoo.org/glsa/202401-31", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "containerd", vendor: "containerd", versions: [ { status: "affected", version: "< 1.5.13", }, { status: "affected", version: ">= 1.6.0, < 1.6.6", }, ], }, ], descriptions: [ { lang: "en", value: "containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an \"exec\" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400: Uncontrolled Resource Consumption", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-31T13:06:25.784592", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { url: "https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf", }, { url: "https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382", }, { name: "[oss-security] 20220606 CVE-2022-31030: containerd CRI plugin: Host memory exhaustion through ExecSync", tags: [ "mailing-list", ], url: "http://www.openwall.com/lists/oss-security/2022/06/07/1", }, { name: "DSA-5162", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2022/dsa-5162", }, { name: "FEDORA-2022-725ac93b48", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD/", }, { name: "FEDORA-2022-1da581ac6d", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO/", }, { name: "GLSA-202401-31", tags: [ "vendor-advisory", ], url: "https://security.gentoo.org/glsa/202401-31", }, ], source: { advisory: "GHSA-5ffw-gxpp-mxpf", discovery: "UNKNOWN", }, title: "containerd CRI plugin: Host memory exhaustion through ExecSync", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2022-31030", datePublished: "2022-06-06T00:00:00", dateReserved: "2022-05-18T00:00:00", dateUpdated: "2024-08-03T07:03:40.336Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-25173
Vulnerability from cvelistv5
Published
2023-02-16 14:09
Modified
2025-03-10 21:10
Severity ?
EPSS score ?
Summary
containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well.
This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| containerd | containerd |
Version: < 1.5.18 Version: >= 1.6.0, < 1.6.18 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T11:18:35.671Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p", }, { name: "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4", }, { name: "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a", }, { name: "https://github.com/advisories/GHSA-4wjj-jwc9-2x96", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/advisories/GHSA-4wjj-jwc9-2x96", }, { name: "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp", }, { name: "https://github.com/advisories/GHSA-phjr-8j92-w5v7", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/advisories/GHSA-phjr-8j92-w5v7", }, { name: "https://github.com/containerd/containerd/releases/tag/v1.5.18", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/containerd/containerd/releases/tag/v1.5.18", }, { name: "https://github.com/containerd/containerd/releases/tag/v1.6.18", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/containerd/containerd/releases/tag/v1.6.18", }, { name: "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-25173", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-10T21:00:44.060345Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-10T21:10:38.648Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "containerd", vendor: "containerd", versions: [ { status: "affected", version: "< 1.5.18", }, { status: "affected", version: ">= 1.6.0, < 1.6.18", }, ], }, ], descriptions: [ { lang: "en", value: "containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well.\n\nThis bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `\"USER $USERNAME\"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT [\"su\", \"-\", \"user\"]` to allow `su` to properly set up supplementary groups.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-863", description: "CWE-863: Incorrect Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-09-15T20:06:31.329Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p", }, { name: "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4", tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4", }, { name: "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a", tags: [ "x_refsource_MISC", ], url: "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a", }, { name: "https://github.com/advisories/GHSA-4wjj-jwc9-2x96", tags: [ "x_refsource_MISC", ], url: "https://github.com/advisories/GHSA-4wjj-jwc9-2x96", }, { name: "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp", tags: [ "x_refsource_MISC", ], url: "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp", }, { name: "https://github.com/advisories/GHSA-phjr-8j92-w5v7", tags: [ "x_refsource_MISC", ], url: "https://github.com/advisories/GHSA-phjr-8j92-w5v7", }, { name: "https://github.com/containerd/containerd/releases/tag/v1.5.18", tags: [ "x_refsource_MISC", ], url: "https://github.com/containerd/containerd/releases/tag/v1.5.18", }, { name: "https://github.com/containerd/containerd/releases/tag/v1.6.18", tags: [ "x_refsource_MISC", ], url: "https://github.com/containerd/containerd/releases/tag/v1.6.18", }, { name: "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/", tags: [ "x_refsource_MISC", ], url: "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", }, ], source: { advisory: "GHSA-hmfx-3pcx-653p", discovery: "UNKNOWN", }, title: "containerd supplementary groups are not set up properly", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-25173", datePublished: "2023-02-16T14:09:12.073Z", dateReserved: "2023-02-03T16:59:18.247Z", dateUpdated: "2025-03-10T21:10:38.648Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-21334
Vulnerability from cvelistv5
Published
2021-03-10 21:30
Modified
2024-08-03 18:09
Severity ?
EPSS score ?
Summary
In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4 | x_refsource_CONFIRM | |
| https://github.com/containerd/containerd/releases/tag/v1.4.4 | x_refsource_MISC | |
| https://github.com/containerd/containerd/releases/tag/v1.3.10 | x_refsource_MISC | |
| https://github.com/containerd/containerd/commit/05f951a3781f4f2c1911b05e61c160e9c30eaa8e | x_refsource_MISC | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KUE2Z2ZUWBHRU36ZGBD2YSJCYB6ELPXE/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QIBPKSX5IOWPM3ZPFB3JVLXWDHSZTTWT/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VTXHA5JOWQRCCUZH7ZQBEYN6KZKJEYSD/ | vendor-advisory, x_refsource_FEDORA | |
| https://security.gentoo.org/glsa/202105-33 | vendor-advisory, x_refsource_GENTOO |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| containerd | containerd |
Version: < 1.3.10 Version: >= 1.4.0, < 1.4.4 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T18:09:15.415Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/containerd/containerd/releases/tag/v1.4.4", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/containerd/containerd/releases/tag/v1.3.10", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/containerd/containerd/commit/05f951a3781f4f2c1911b05e61c160e9c30eaa8e", }, { name: "FEDORA-2021-470fa24f5b", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KUE2Z2ZUWBHRU36ZGBD2YSJCYB6ELPXE/", }, { name: "FEDORA-2021-10ce8fcbf1", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QIBPKSX5IOWPM3ZPFB3JVLXWDHSZTTWT/", }, { name: "FEDORA-2021-f049305892", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VTXHA5JOWQRCCUZH7ZQBEYN6KZKJEYSD/", }, { name: "GLSA-202105-33", tags: [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred", ], url: "https://security.gentoo.org/glsa/202105-33", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "containerd", vendor: "containerd", versions: [ { status: "affected", version: "< 1.3.10", }, { status: "affected", version: ">= 1.4.0, < 1.4.4", }, ], }, ], descriptions: [ { lang: "en", value: "In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-668", description: "{\"CWE-668\":\"Exposure of Resource to Wrong Sphere\"}", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-05-26T11:08:46", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/containerd/containerd/releases/tag/v1.4.4", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/containerd/containerd/releases/tag/v1.3.10", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/containerd/containerd/commit/05f951a3781f4f2c1911b05e61c160e9c30eaa8e", }, { name: "FEDORA-2021-470fa24f5b", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KUE2Z2ZUWBHRU36ZGBD2YSJCYB6ELPXE/", }, { name: "FEDORA-2021-10ce8fcbf1", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QIBPKSX5IOWPM3ZPFB3JVLXWDHSZTTWT/", }, { name: "FEDORA-2021-f049305892", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VTXHA5JOWQRCCUZH7ZQBEYN6KZKJEYSD/", }, { name: "GLSA-202105-33", tags: [ "vendor-advisory", "x_refsource_GENTOO", ], url: "https://security.gentoo.org/glsa/202105-33", }, ], source: { advisory: "GHSA-6g2q-w5j3-fwh4", discovery: "UNKNOWN", }, title: "environment variable leak", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2021-21334", STATE: "PUBLIC", TITLE: "environment variable leak", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "containerd", version: { version_data: [ { version_value: "< 1.3.10", }, { version_value: ">= 1.4.0, < 1.4.4", }, ], }, }, ], }, vendor_name: "containerd", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "{\"CWE-668\":\"Exposure of Resource to Wrong Sphere\"}", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4", refsource: "CONFIRM", url: "https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4", }, { name: "https://github.com/containerd/containerd/releases/tag/v1.4.4", refsource: "MISC", url: "https://github.com/containerd/containerd/releases/tag/v1.4.4", }, { name: "https://github.com/containerd/containerd/releases/tag/v1.3.10", refsource: "MISC", url: "https://github.com/containerd/containerd/releases/tag/v1.3.10", }, { name: "https://github.com/containerd/containerd/commit/05f951a3781f4f2c1911b05e61c160e9c30eaa8e", refsource: "MISC", url: "https://github.com/containerd/containerd/commit/05f951a3781f4f2c1911b05e61c160e9c30eaa8e", }, { name: "FEDORA-2021-470fa24f5b", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUE2Z2ZUWBHRU36ZGBD2YSJCYB6ELPXE/", }, { name: "FEDORA-2021-10ce8fcbf1", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QIBPKSX5IOWPM3ZPFB3JVLXWDHSZTTWT/", }, { name: "FEDORA-2021-f049305892", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VTXHA5JOWQRCCUZH7ZQBEYN6KZKJEYSD/", }, { name: "GLSA-202105-33", refsource: "GENTOO", url: "https://security.gentoo.org/glsa/202105-33", }, ], }, source: { advisory: "GHSA-6g2q-w5j3-fwh4", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2021-21334", datePublished: "2021-03-10T21:30:18", dateReserved: "2020-12-22T00:00:00", dateUpdated: "2024-08-03T18:09:15.415Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-43816
Vulnerability from cvelistv5
Published
2022-01-05 18:55
Modified
2025-04-22 18:34
Severity ?
EPSS score ?
Summary
containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c | x_refsource_CONFIRM | |
| https://github.com/containerd/containerd/issues/6194 | x_refsource_MISC | |
| https://github.com/containerd/containerd/commit/a731039238c62be081eb8c31525b988415745eea | x_refsource_MISC | |
| https://github.com/dweomer/containerd/commit/f7f08f0e34fb97392b0d382e58916d6865100299 | x_refsource_MISC | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GD5GH7NMK5VJMA2Y5CYB5O5GTPYMWMLX/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPDIZMI7ZPERSZE2XO265UCK5IWM7CID/ | vendor-advisory, x_refsource_FEDORA |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| containerd | containerd |
Version: >= 1.5.0, < 1.5.9 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T04:03:08.904Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/containerd/containerd/issues/6194", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/containerd/containerd/commit/a731039238c62be081eb8c31525b988415745eea", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/dweomer/containerd/commit/f7f08f0e34fb97392b0d382e58916d6865100299", }, { name: "FEDORA-2022-f668c3d70d", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GD5GH7NMK5VJMA2Y5CYB5O5GTPYMWMLX/", }, { name: "FEDORA-2022-a0b2a4d594", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPDIZMI7ZPERSZE2XO265UCK5IWM7CID/", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2021-43816", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-04-22T15:45:32.084372Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-22T18:34:15.666Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "containerd", vendor: "containerd", versions: [ { status: "affected", version: ">= 1.5.0, < 1.5.9", }, ], }, ], descriptions: [ { lang: "en", value: "containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-281", description: "CWE-281: Improper Preservation of Permissions", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-02-15T02:06:19.000Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/containerd/containerd/issues/6194", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/containerd/containerd/commit/a731039238c62be081eb8c31525b988415745eea", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/dweomer/containerd/commit/f7f08f0e34fb97392b0d382e58916d6865100299", }, { name: "FEDORA-2022-f668c3d70d", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GD5GH7NMK5VJMA2Y5CYB5O5GTPYMWMLX/", }, { name: "FEDORA-2022-a0b2a4d594", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPDIZMI7ZPERSZE2XO265UCK5IWM7CID/", }, ], source: { advisory: "GHSA-mvff-h3cj-wj9c", discovery: "UNKNOWN", }, title: "Improper Preservation of Permissions in containerd", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2021-43816", STATE: "PUBLIC", TITLE: "Improper Preservation of Permissions in containerd", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "containerd", version: { version_data: [ { version_value: ">= 1.5.0, < 1.5.9", }, ], }, }, ], }, vendor_name: "containerd", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-281: Improper Preservation of Permissions", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c", refsource: "CONFIRM", url: "https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c", }, { name: "https://github.com/containerd/containerd/issues/6194", refsource: "MISC", url: "https://github.com/containerd/containerd/issues/6194", }, { name: "https://github.com/containerd/containerd/commit/a731039238c62be081eb8c31525b988415745eea", refsource: "MISC", url: "https://github.com/containerd/containerd/commit/a731039238c62be081eb8c31525b988415745eea", }, { name: "https://github.com/dweomer/containerd/commit/f7f08f0e34fb97392b0d382e58916d6865100299", refsource: "MISC", url: "https://github.com/dweomer/containerd/commit/f7f08f0e34fb97392b0d382e58916d6865100299", }, { name: "FEDORA-2022-f668c3d70d", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD5GH7NMK5VJMA2Y5CYB5O5GTPYMWMLX/", }, { name: "FEDORA-2022-a0b2a4d594", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPDIZMI7ZPERSZE2XO265UCK5IWM7CID/", }, ], }, source: { advisory: "GHSA-mvff-h3cj-wj9c", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2021-43816", datePublished: "2022-01-05T18:55:10.000Z", dateReserved: "2021-11-16T00:00:00.000Z", dateUpdated: "2025-04-22T18:34:15.666Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-23471
Vulnerability from cvelistv5
Published
2022-12-07 22:51
Modified
2025-04-23 16:31
Severity ?
EPSS score ?
Summary
containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| containerd | containerd |
Version: < 1.5.16 Version: >= 1.6.0, < 1.6.12 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T03:43:46.038Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9", }, { name: "https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0", }, { tags: [ "x_transferred", ], url: "https://security.gentoo.org/glsa/202401-31", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-23471", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-04-23T13:52:53.736356Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-23T16:31:30.024Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "containerd", vendor: "containerd", versions: [ { status: "affected", version: "< 1.5.16", }, { status: "affected", version: ">= 1.6.0, < 1.6.12", }, ], }, ], descriptions: [ { lang: "en", value: "containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.7, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400: Uncontrolled Resource Consumption", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-31T13:06:15.170Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9", }, { name: "https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0", tags: [ "x_refsource_MISC", ], url: "https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0", }, { url: "https://security.gentoo.org/glsa/202401-31", }, ], source: { advisory: "GHSA-2qjp-425j-52j9", discovery: "UNKNOWN", }, title: "containerd CRI stream server: Host memory exhaustion through terminal resize goroutine leak", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2022-23471", datePublished: "2022-12-07T22:51:34.193Z", dateReserved: "2022-01-19T21:23:53.757Z", dateUpdated: "2025-04-23T16:31:30.024Z", requesterUserId: "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-15157
Vulnerability from cvelistv5
Published
2020-10-16 16:45
Modified
2024-08-04 13:08
Severity ?
EPSS score ?
Summary
In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c | x_refsource_CONFIRM | |
| https://github.com/containerd/containerd/releases/tag/v1.2.14 | x_refsource_MISC | |
| https://usn.ubuntu.com/4589-1/ | vendor-advisory, x_refsource_UBUNTU | |
| https://usn.ubuntu.com/4589-2/ | vendor-advisory, x_refsource_UBUNTU | |
| https://www.debian.org/security/2021/dsa-4865 | vendor-advisory, x_refsource_DEBIAN |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| containerd | containerd |
Version: < 1.2.14 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T13:08:22.310Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/containerd/containerd/releases/tag/v1.2.14", }, { name: "USN-4589-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/4589-1/", }, { name: "USN-4589-2", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/4589-2/", }, { name: "DSA-4865", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2021/dsa-4865", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "containerd", vendor: "containerd", versions: [ { status: "affected", version: "< 1.2.14", }, ], }, ], descriptions: [ { lang: "en", value: "In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-522", description: "CWE-522 Insufficiently Protected Credentials", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-02-28T11:06:37", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/containerd/containerd/releases/tag/v1.2.14", }, { name: "USN-4589-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/4589-1/", }, { name: "USN-4589-2", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/4589-2/", }, { name: "DSA-4865", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2021/dsa-4865", }, ], source: { advisory: "GHSA-742w-89gc-8m9c", discovery: "UNKNOWN", }, title: "containerd can be coerced into leaking credentials during image pull", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2020-15157", STATE: "PUBLIC", TITLE: "containerd can be coerced into leaking credentials during image pull", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "containerd", version: { version_data: [ { version_value: "< 1.2.14", }, ], }, }, ], }, vendor_name: "containerd", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-522 Insufficiently Protected Credentials", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c", refsource: "CONFIRM", url: "https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c", }, { name: "https://github.com/containerd/containerd/releases/tag/v1.2.14", refsource: "MISC", url: "https://github.com/containerd/containerd/releases/tag/v1.2.14", }, { name: "USN-4589-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/4589-1/", }, { name: "USN-4589-2", refsource: "UBUNTU", url: "https://usn.ubuntu.com/4589-2/", }, { name: "DSA-4865", refsource: "DEBIAN", url: "https://www.debian.org/security/2021/dsa-4865", }, ], }, source: { advisory: "GHSA-742w-89gc-8m9c", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2020-15157", datePublished: "2020-10-16T16:45:18", dateReserved: "2020-06-25T00:00:00", dateUpdated: "2024-08-04T13:08:22.310Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-23648
Vulnerability from cvelistv5
Published
2022-03-03 00:00
Modified
2024-08-03 03:51
Severity ?
EPSS score ?
Summary
containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| containerd | containerd |
Version: < 1.4.13 Version: >= 1.5.0, < 1.5.10 Version: >= 1.6.0, < 1.6.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T03:51:45.829Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7", }, { tags: [ "x_transferred", ], url: "https://github.com/containerd/containerd/commit/10f428dac7cec44c864e1b830a4623af27a9fc70", }, { tags: [ "x_transferred", ], url: "https://github.com/containerd/containerd/releases/tag/v1.4.13", }, { tags: [ "x_transferred", ], url: "https://github.com/containerd/containerd/releases/tag/v1.5.10", }, { tags: [ "x_transferred", ], url: "https://github.com/containerd/containerd/releases/tag/v1.6.1", }, { name: "DSA-5091", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5091", }, { name: "FEDORA-2022-dc35dd101f", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCCARJ6FU4MWBTXHZNMS7NELPDBIX2VO/", }, { name: "FEDORA-2022-230f2b024b", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUDQUQBZJGBWJPMRVB6QCCCRF7O3O4PA/", }, { tags: [ "x_transferred", ], url: "http://packetstormsecurity.com/files/166421/containerd-Image-Volume-Insecure-Handling.html", }, { name: "FEDORA-2022-d9c9bf56f6", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HFTS2EF3S7HNYSNZSEJZIJHPRU7OPUV3/", }, { name: "GLSA-202401-31", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security.gentoo.org/glsa/202401-31", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "containerd", vendor: "containerd", versions: [ { status: "affected", version: " < 1.4.13", }, { status: "affected", version: ">= 1.5.0, < 1.5.10", }, { status: "affected", version: ">= 1.6.0, < 1.6.1", }, ], }, ], descriptions: [ { lang: "en", value: "containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-200", description: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-31T13:06:18.281051", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { url: "https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7", }, { url: "https://github.com/containerd/containerd/commit/10f428dac7cec44c864e1b830a4623af27a9fc70", }, { url: "https://github.com/containerd/containerd/releases/tag/v1.4.13", }, { url: "https://github.com/containerd/containerd/releases/tag/v1.5.10", }, { url: "https://github.com/containerd/containerd/releases/tag/v1.6.1", }, { name: "DSA-5091", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2022/dsa-5091", }, { name: "FEDORA-2022-dc35dd101f", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCCARJ6FU4MWBTXHZNMS7NELPDBIX2VO/", }, { name: "FEDORA-2022-230f2b024b", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUDQUQBZJGBWJPMRVB6QCCCRF7O3O4PA/", }, { url: "http://packetstormsecurity.com/files/166421/containerd-Image-Volume-Insecure-Handling.html", }, { name: "FEDORA-2022-d9c9bf56f6", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HFTS2EF3S7HNYSNZSEJZIJHPRU7OPUV3/", }, { name: "GLSA-202401-31", tags: [ "vendor-advisory", ], url: "https://security.gentoo.org/glsa/202401-31", }, ], source: { advisory: "GHSA-crp2-qrr5-8pq7", discovery: "UNKNOWN", }, title: "Insecure handling of image volumes in containerd CRI plugin", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2022-23648", datePublished: "2022-03-03T00:00:00", dateReserved: "2022-01-19T00:00:00", dateUpdated: "2024-08-03T03:51:45.829Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-25153
Vulnerability from cvelistv5
Published
2023-02-16 14:09
Modified
2025-03-10 21:10
Severity ?
EPSS score ?
Summary
containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2 | x_refsource_CONFIRM | |
| https://github.com/containerd/containerd/commit/0c314901076a74a7b797a545d2f462285fdbb8c4 | x_refsource_MISC | |
| https://github.com/containerd/containerd/releases/tag/v1.5.18 | x_refsource_MISC | |
| https://github.com/containerd/containerd/releases/tag/v1.6.18 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| containerd | containerd |
Version: < 1.5.18 Version: >= 1.6.0, < 1.6.18 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T11:18:35.221Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2", }, { name: "https://github.com/containerd/containerd/commit/0c314901076a74a7b797a545d2f462285fdbb8c4", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/containerd/containerd/commit/0c314901076a74a7b797a545d2f462285fdbb8c4", }, { name: "https://github.com/containerd/containerd/releases/tag/v1.5.18", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/containerd/containerd/releases/tag/v1.5.18", }, { name: "https://github.com/containerd/containerd/releases/tag/v1.6.18", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/containerd/containerd/releases/tag/v1.6.18", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-25153", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-10T20:57:30.825093Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-10T21:10:44.159Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "containerd", vendor: "containerd", versions: [ { status: "affected", version: "< 1.5.18", }, { status: "affected", version: ">= 1.6.0, < 1.6.18", }, ], }, ], descriptions: [ { lang: "en", value: "containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 6.2, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-770", description: "CWE-770: Allocation of Resources Without Limits or Throttling", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-02-16T14:09:08.519Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2", }, { name: "https://github.com/containerd/containerd/commit/0c314901076a74a7b797a545d2f462285fdbb8c4", tags: [ "x_refsource_MISC", ], url: "https://github.com/containerd/containerd/commit/0c314901076a74a7b797a545d2f462285fdbb8c4", }, { name: "https://github.com/containerd/containerd/releases/tag/v1.5.18", tags: [ "x_refsource_MISC", ], url: "https://github.com/containerd/containerd/releases/tag/v1.5.18", }, { name: "https://github.com/containerd/containerd/releases/tag/v1.6.18", tags: [ "x_refsource_MISC", ], url: "https://github.com/containerd/containerd/releases/tag/v1.6.18", }, ], source: { advisory: "GHSA-259w-8hf6-59c2", discovery: "UNKNOWN", }, title: "containerd OCI image importer memory exhaustion", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-25153", datePublished: "2023-02-16T14:09:08.519Z", dateReserved: "2023-02-03T16:59:18.242Z", dateUpdated: "2025-03-10T21:10:44.159Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-32760
Vulnerability from cvelistv5
Published
2021-07-19 00:00
Modified
2024-11-19 14:27
Severity ?
EPSS score ?
Summary
containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| containerd | containerd |
Version: <= 1.4.7 Version: >= 1.5.0, <= 1.5.3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T23:33:55.800Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w", }, { tags: [ "x_transferred", ], url: "https://github.com/containerd/containerd/releases/tag/v1.4.8", }, { tags: [ "x_transferred", ], url: "https://github.com/containerd/containerd/releases/tag/v1.5.4", }, { name: "FEDORA-2021-53ce601cb0", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDMNDPJJTP3J5GOEDB66F6MGXUTRG3Y3/", }, { name: "GLSA-202401-31", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security.gentoo.org/glsa/202401-31", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2021-32760", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-11-19T14:27:11.335304Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-11-19T14:27:20.905Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "containerd", vendor: "containerd", versions: [ { status: "affected", version: "<= 1.4.7", }, { status: "affected", version: ">= 1.5.0, <= 1.5.3", }, ], }, ], descriptions: [ { lang: "en", value: "containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-668", description: "CWE-668: Exposure of Resource to Wrong Sphere", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-31T13:06:23.914511", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { url: "https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w", }, { url: "https://github.com/containerd/containerd/releases/tag/v1.4.8", }, { url: "https://github.com/containerd/containerd/releases/tag/v1.5.4", }, { name: "FEDORA-2021-53ce601cb0", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDMNDPJJTP3J5GOEDB66F6MGXUTRG3Y3/", }, { name: "GLSA-202401-31", tags: [ "vendor-advisory", ], url: "https://security.gentoo.org/glsa/202401-31", }, ], source: { advisory: "GHSA-c72p-9xmj-rx3w", discovery: "UNKNOWN", }, title: "Archive package allows chmod of file outside of unpack target directory", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2021-32760", datePublished: "2021-07-19T00:00:00", dateReserved: "2021-05-12T00:00:00", dateUpdated: "2024-11-19T14:27:20.905Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Vulnerability from fkie_nvd
Published
2021-07-19 21:15
Modified
2024-11-21 06:07
Severity ?
5.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Summary
containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | containerd | * | |
| linuxfoundation | containerd | * | |
| fedoraproject | fedora | 34 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", matchCriteriaId: "B80F3640-4786-43D6-B222-FBE9A98B86D8", versionEndExcluding: "1.4.8", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", matchCriteriaId: "B29F81BF-E74A-4C4E-ADEE-7A70AA58A9DC", versionEndExcluding: "1.5.4", versionStartIncluding: "1.5.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", matchCriteriaId: "A930E247-0B43-43CB-98FF-6CE7B8189835", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.", }, { lang: "es", value: "containerd es un tiempo de ejecución de contenedores. Se ha encontrado un bug en las versiones de containerd anteriores a 1.4.8 y la 1.5.4, donde tirando y extrayendo una imagen de contenedor especialmente diseñada puede resultar en cambios en los permisos de archivos Unix para los archivos existentes en el sistema de archivos del host. Los cambios en los permisos de los archivos pueden denegar el acceso al propietario esperado del archivo, ampliar el acceso a otros, o establecer bits extendidos como setuid, setgid y sticky. Este bug no permite directamente la lectura, modificación o ejecución de archivos sin un proceso adicional de cooperación. Este bug ha sido corregido en containerd versiones 1.5.4 y 1.4.8. Como solución, asegúrese de que los usuarios sólo obtienen imágenes de fuentes de confianza. Los módulos de seguridad de Linux (LSM) como SELinux y AppArmor pueden limitar los archivos potencialmente afectados por este bug mediante políticas y perfiles que impiden que containerd interactúe con archivos específicos", }, ], id: "CVE-2021-32760", lastModified: "2024-11-21T06:07:41.097", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 1.6, impactScore: 3.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-07-19T21:15:07.857", references: [ { source: "security-advisories@github.com", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/releases/tag/v1.4.8", }, { source: "security-advisories@github.com", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/releases/tag/v1.5.4", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDMNDPJJTP3J5GOEDB66F6MGXUTRG3Y3/", }, { source: "security-advisories@github.com", url: "https://security.gentoo.org/glsa/202401-31", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/releases/tag/v1.4.8", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/releases/tag/v1.5.4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDMNDPJJTP3J5GOEDB66F6MGXUTRG3Y3/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.gentoo.org/glsa/202401-31", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-668", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-732", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-02-16 15:15
Modified
2024-11-21 07:49
Severity ?
5.3 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well.
This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | containerd | * | |
| linuxfoundation | containerd | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", matchCriteriaId: "4C98A2DA-3CDD-4438-AECC-DDDA67E61935", versionEndExcluding: "1.5.18", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", matchCriteriaId: "BDD5FC3E-BEEB-4CAA-845E-3BADF39E46B2", versionEndExcluding: "1.6.18", versionStartIncluding: "1.6.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well.\n\nThis bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `\"USER $USERNAME\"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT [\"su\", \"-\", \"user\"]` to allow `su` to properly set up supplementary groups.", }, { lang: "es", value: "Containerd es contenedor de código abierto en tiempo de ejecución. Se encontró un error en Containerd antes de las versiones 1.6.18 y 1.5.18 donde los grupos suplementarios no están configurados correctamente dentro de un contenedor. Si un atacante tiene acceso directo a un contenedor y manipula su acceso de grupo suplementario, es posible que pueda utilizar el acceso de grupo suplementario para eludir las restricciones del grupo primario en algunos casos, obteniendo potencialmente acceso a información confidencial o obteniendo la capacidad de ejecutar código en ese contenedor. Las aplicaciones posteriores que utilizan la librería cliente en containerd también pueden verse afectadas. Este error se ha solucionado en Containerd v1.6.18 y v.1.5.18. Los usuarios deben actualizar a estas versiones y volver a crear containers para resolver este problema. Los usuarios que dependen de una aplicación posterior que utiliza la librería cliente de Containerd deben verificar esa aplicación para obtener avisos e instrucciones por separado. Como workaround, asegúrese de que no se utilice la instrucción de Dockerfile `\"USER $USERNAME\"`. En su lugar, establezca el punto de entrada del contenedor en un valor similar a `ENTRYPOINT [\"su\", \"-\", \"user\"]` para permitir que `su` configure correctamente grupos suplementarios.", }, ], id: "CVE-2023-25173", lastModified: "2024-11-21T07:49:15.083", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 3.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-02-16T15:15:20.057", references: [ { source: "security-advisories@github.com", tags: [ "Not Applicable", ], url: "https://github.com/advisories/GHSA-4wjj-jwc9-2x96", }, { source: "security-advisories@github.com", tags: [ "Not Applicable", ], url: "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp", }, { source: "security-advisories@github.com", tags: [ "Not Applicable", ], url: "https://github.com/advisories/GHSA-phjr-8j92-w5v7", }, { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a", }, { source: "security-advisories@github.com", tags: [ "Release Notes", ], url: "https://github.com/containerd/containerd/releases/tag/v1.5.18", }, { source: "security-advisories@github.com", tags: [ "Release Notes", ], url: "https://github.com/containerd/containerd/releases/tag/v1.6.18", }, { source: "security-advisories@github.com", tags: [ "Mitigation", "Vendor Advisory", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p", }, { source: "security-advisories@github.com", tags: [ "Not Applicable", ], url: "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Third Party Advisory", ], url: "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Not Applicable", ], url: "https://github.com/advisories/GHSA-4wjj-jwc9-2x96", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Not Applicable", ], url: "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Not Applicable", ], url: "https://github.com/advisories/GHSA-phjr-8j92-w5v7", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://github.com/containerd/containerd/releases/tag/v1.5.18", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://github.com/containerd/containerd/releases/tag/v1.6.18", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mitigation", "Vendor Advisory", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Not Applicable", ], url: "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-863", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-863", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-12-07 23:15
Modified
2024-11-21 06:48
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | containerd | * | |
| linuxfoundation | containerd | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", matchCriteriaId: "D02D9735-2A77-44FE-81D2-6EC3064846FE", versionEndExcluding: "1.5.16", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", matchCriteriaId: "F6490824-A9DE-416F-BC94-9CE863D25A48", versionEndExcluding: "1.6.12", versionStartIncluding: "1.6.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers. ", }, { lang: "es", value: "Containerd es un runtime de contenedor de código abierto. Se encontró un error en la implementación CRI de Containerd donde un usuario puede agotar la memoria en el host. En el servidor de transmisión CRI, se lanza una rutina para manejar eventos de cambio de tamaño del terminal si se solicita un TTY. Si el proceso del usuario no se inicia debido, por ejemplo, a un comando defectuoso, la rutina se atascará esperando enviarse sin un receptor, lo que provocará una pérdida de memoria. Tanto Kubernetes como crictl se pueden configurar para usar la implementación CRI de Containerd y el servidor de transmisión se usa para manejar la E/S del contenedor. Este error se solucionó en Containerd 1.6.12 y 1.5.16. Los usuarios deben actualizar a estas versiones para resolver el problema. Los usuarios que no puedan actualizar deben asegurarse de que solo se utilicen imágenes y comandos confiables y que solo los usuarios confiables tengan permisos para ejecutar comandos en contenedores en ejecución.", }, ], id: "CVE-2022-23471", lastModified: "2024-11-21T06:48:37.753", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.7, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.1, impactScore: 3.6, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-12-07T23:15:09.763", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9", }, { source: "security-advisories@github.com", url: "https://security.gentoo.org/glsa/202401-31", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.gentoo.org/glsa/202401-31", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-400", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-401", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-06-09 14:15
Modified
2024-11-21 07:03
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | containerd | * | |
| linuxfoundation | containerd | * | |
| debian | debian_linux | 11.0 | |
| fedoraproject | fedora | 35 | |
| fedoraproject | fedora | 36 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", matchCriteriaId: "B7EB2740-DC73-492C-A597-4CF2D45BD086", versionEndExcluding: "1.5.13", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", matchCriteriaId: "93B57D59-16AE-4F84-8C06-A40F9C219C77", versionEndExcluding: "1.6.6", versionStartIncluding: "1.6.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", matchCriteriaId: "FA6FEEC2-9F11-4643-8827-749718254FED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", matchCriteriaId: "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", matchCriteriaId: "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an \"exec\" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used.", }, { lang: "es", value: "containerd es un tiempo de ejecución de contenedores de código abierto. Se ha encontrado un error en la implementación de CRI de containerd en el que los programas dentro de un contenedor pueden causar que el demonio containerd consuma memoria sin límites durante la invocación de la API \"ExecSync\". Esto puede causar que containerd consuma toda la memoria disponible en el equipo, negando el servicio a otras cargas de trabajo legítimas. Tanto Kubernetes como crictl pueden configurarse para usar la implementación CRI de containerd; \"ExecSync\" puede usarse cuando son ejecutadas sondas o cuando son ejecutados procesos por medio de una instalación \"exec\". Este error ha sido corregido en containerd versiones 1.6.6 y 1.5.13. Los usuarios deben actualizar a estas versiones para resolver el problema. Los usuarios que no puedan actualizar deberían asegurarse de que sólo son usadas imágenes y comandos confiables", }, ], id: "CVE-2022-31030", lastModified: "2024-11-21T07:03:44.867", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 2.1, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:L/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 3.9, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 3.6, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-06-09T14:15:08.550", references: [ { source: "security-advisories@github.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2022/06/07/1", }, { source: "security-advisories@github.com", tags: [ "Product", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO/", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD/", }, { source: "security-advisories@github.com", url: "https://security.gentoo.org/glsa/202401-31", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5162", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2022/06/07/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.gentoo.org/glsa/202401-31", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5162", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-400", }, ], source: "security-advisories@github.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-03-03 14:15
Modified
2024-11-21 06:49
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | containerd | * | |
| linuxfoundation | containerd | * | |
| linuxfoundation | containerd | * | |
| debian | debian_linux | 11.0 | |
| fedoraproject | fedora | 34 | |
| fedoraproject | fedora | 35 | |
| fedoraproject | fedora | 36 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", matchCriteriaId: "E2E44BA2-CF61-41F7-B332-C2C977368870", versionEndExcluding: "1.4.13", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", matchCriteriaId: "5783F746-15E8-403A-A79F-D58E4577185E", versionEndExcluding: "1.5.10", versionStartIncluding: "1.5.0", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", matchCriteriaId: "B7A0F3E7-387E-46F4-861A-8B65EBF6548A", versionEndExcluding: "1.6.1", versionStartIncluding: "1.6.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", matchCriteriaId: "FA6FEEC2-9F11-4643-8827-749718254FED", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", matchCriteriaId: "A930E247-0B43-43CB-98FF-6CE7B8189835", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", matchCriteriaId: "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", matchCriteriaId: "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.", }, { lang: "es", value: "containerd es un tiempo de ejecución de contenedores disponible como demonio para Linux y Windows. Se ha encontrado un fallo en containerd versiones anteriores a 1.6.1, 1.5.10 y 1.14.12, en el que los contenedores lanzados mediante la implementación CRI de containerd en Linux con una configuración de imagen especialmente diseñada podían conseguir acceso a copias de sólo lectura de archivos y directorios arbitrarios en el host. Esto puede omitir cualquier aplicación basada en políticas sobre la configuración de contenedores (incluyendo una política de seguridad de Kubernetes Pod) y exponer información potencialmente confidencial. Kubernetes y crictl pueden ser configurados para usar la implementación de CRI de containerd. Este error ha sido corregido en containerd versiones 1.6.1, 1.5.10 y 1.4.12. Los usuarios deben actualizar a estas versiones para resolver el problema", }, ], id: "CVE-2022-23648", lastModified: "2024-11-21T06:49:00.957", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-03-03T14:15:07.973", references: [ { source: "security-advisories@github.com", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/166421/containerd-Image-Volume-Insecure-Handling.html", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/commit/10f428dac7cec44c864e1b830a4623af27a9fc70", }, { source: "security-advisories@github.com", tags: [ "Patch", "Release Notes", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/releases/tag/v1.4.13", }, { source: "security-advisories@github.com", tags: [ "Patch", "Release Notes", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/releases/tag/v1.5.10", }, { source: "security-advisories@github.com", tags: [ "Patch", "Release Notes", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/releases/tag/v1.6.1", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUDQUQBZJGBWJPMRVB6QCCCRF7O3O4PA/", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HFTS2EF3S7HNYSNZSEJZIJHPRU7OPUV3/", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCCARJ6FU4MWBTXHZNMS7NELPDBIX2VO/", }, { source: "security-advisories@github.com", url: "https://security.gentoo.org/glsa/202401-31", }, { source: "security-advisories@github.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5091", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/166421/containerd-Image-Volume-Insecure-Handling.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/commit/10f428dac7cec44c864e1b830a4623af27a9fc70", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Release Notes", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/releases/tag/v1.4.13", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Release Notes", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/releases/tag/v1.5.10", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Release Notes", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/releases/tag/v1.6.1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUDQUQBZJGBWJPMRVB6QCCCRF7O3O4PA/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HFTS2EF3S7HNYSNZSEJZIJHPRU7OPUV3/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCCARJ6FU4MWBTXHZNMS7NELPDBIX2VO/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.gentoo.org/glsa/202401-31", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5091", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-200", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-02-16 15:15
Modified
2024-11-21 07:49
Severity ?
6.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Summary
containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | containerd | * | |
| linuxfoundation | containerd | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", matchCriteriaId: "4C98A2DA-3CDD-4438-AECC-DDDA67E61935", versionEndExcluding: "1.5.18", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", matchCriteriaId: "BDD5FC3E-BEEB-4CAA-845E-3BADF39E46B2", versionEndExcluding: "1.6.18", versionStartIncluding: "1.6.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.", }, ], id: "CVE-2023-25153", lastModified: "2024-11-21T07:49:12.643", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 6.2, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.5, impactScore: 3.6, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-02-16T15:15:19.477", references: [ { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/containerd/containerd/commit/0c314901076a74a7b797a545d2f462285fdbb8c4", }, { source: "security-advisories@github.com", tags: [ "Release Notes", ], url: "https://github.com/containerd/containerd/releases/tag/v1.5.18", }, { source: "security-advisories@github.com", tags: [ "Release Notes", ], url: "https://github.com/containerd/containerd/releases/tag/v1.6.18", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/containerd/containerd/commit/0c314901076a74a7b797a545d2f462285fdbb8c4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://github.com/containerd/containerd/releases/tag/v1.5.18", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://github.com/containerd/containerd/releases/tag/v1.6.18", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-770", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-770", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-01-05 19:15
Modified
2024-11-21 06:29
Severity ?
8.0 (High) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Summary
containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | containerd | * | |
| linuxfoundation | containerd | 1.5.0 | |
| linuxfoundation | containerd | 1.5.0 | |
| linuxfoundation | containerd | 1.5.0 | |
| linuxfoundation | containerd | 1.5.0 | |
| linuxfoundation | containerd | 1.5.0 | |
| linuxfoundation | containerd | 1.5.0 | |
| linuxfoundation | containerd | 1.5.0 | |
| linuxfoundation | containerd | 1.5.0 | |
| linuxfoundation | containerd | 1.5.0 | |
| linuxfoundation | containerd | 1.5.0 | |
| fedoraproject | fedora | 34 | |
| fedoraproject | fedora | 35 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", matchCriteriaId: "43387595-2EE9-4BCB-BA40-899372BAFD60", versionEndExcluding: "1.5.9", versionStartIncluding: "1.5.1", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:1.5.0:-:*:*:*:*:*:*", matchCriteriaId: "51312F5E-E77D-4714-A47A-EB2900F91852", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:1.5.0:beta0:*:*:*:*:*:*", matchCriteriaId: "2C477ED1-29F2-47CC-B523-331FE4052336", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:1.5.0:beta1:*:*:*:*:*:*", matchCriteriaId: "2DD59A2E-2AF5-4D24-A0BD-F9A7C2064A91", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:1.5.0:beta2:*:*:*:*:*:*", matchCriteriaId: "6D819271-9946-4A69-8EF7-AFF8AAA226CE", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:1.5.0:beta3:*:*:*:*:*:*", matchCriteriaId: "F87C27FC-1AE4-45BA-BCF5-D5C2AEC3F3E4", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:1.5.0:beta4:*:*:*:*:*:*", matchCriteriaId: "3F6FA16C-59DA-42A7-A75C-5E8FB0E83453", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:1.5.0:rc0:*:*:*:*:*:*", matchCriteriaId: "2829C988-52D0-42A6-B063-B789046DBC58", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:1.5.0:rc1:*:*:*:*:*:*", matchCriteriaId: "459C3B7F-4875-42A1-B242-A342218CEFD4", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:1.5.0:rc2:*:*:*:*:*:*", matchCriteriaId: "6C93E100-A2D4-4781-8C36-4DBCFD704CB2", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:1.5.0:rc3:*:*:*:*:*:*", matchCriteriaId: "F43624CC-D1D3-4FF0-8D97-20E190A9A56E", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", matchCriteriaId: "A930E247-0B43-43CB-98FF-6CE7B8189835", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", matchCriteriaId: "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.", }, { lang: "es", value: "containerd es un tiempo de ejecución de contenedores de código abierto. En las instalaciones que usan SELinux, como EL8 (CentOS, RHEL), Fedora o SUSE MicroOS, con containerd desde la versión v1.5.0-beta.0 como interfaz de ejecución de contenedores de respaldo (CRI), un pod sin privilegios programado en el nodo puede enlazar el montaje, por medio del volumen hostPath, de cualquier archivo privilegiado y regular en el disco para un acceso completo de lectura/escritura (sans delete). Esto es conseguido al colocar la ubicación dentro del contenedor del montaje del volumen hostPath en \"/etc/hosts\", \"/etc/hostname\", o \"/etc/resolv.conf\". Estas ubicaciones están siendo reetiquetadas indiscriminadamente para que coincidan con la etiqueta del proceso del contenedor, lo que efectivamente eleva los permisos para los contenedores inteligentes que normalmente no podrían acceder a los archivos privilegiados del host. Este problema ha sido resuelto en versión 1.5.9. Se recomienda a usuarios que actualicen lo antes posible.", }, ], id: "CVE-2021-43816", lastModified: "2024-11-21T06:29:51.197", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.3, impactScore: 6, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-01-05T19:15:08.717", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/commit/a731039238c62be081eb8c31525b988415745eea", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/issues/6194", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/dweomer/containerd/commit/f7f08f0e34fb97392b0d382e58916d6865100299", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GD5GH7NMK5VJMA2Y5CYB5O5GTPYMWMLX/", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPDIZMI7ZPERSZE2XO265UCK5IWM7CID/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/commit/a731039238c62be081eb8c31525b988415745eea", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/issues/6194", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/dweomer/containerd/commit/f7f08f0e34fb97392b0d382e58916d6865100299", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GD5GH7NMK5VJMA2Y5CYB5O5GTPYMWMLX/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPDIZMI7ZPERSZE2XO265UCK5IWM7CID/", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-281", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-281", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-12-01 03:15
Modified
2024-11-21 05:05
Severity ?
5.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
5.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
5.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Summary
containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the "host" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | containerd | * | |
| linuxfoundation | containerd | * | |
| fedoraproject | fedora | 33 | |
| debian | debian_linux | 10.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", matchCriteriaId: "AE0C7E47-205B-4949-88A5-E5885F9F3C8B", versionEndExcluding: "1.3.9", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", matchCriteriaId: "043B8600-6802-4946-89C1-A3CC3FC50112", versionEndExcluding: "1.4.3", versionStartIncluding: "1.4.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", matchCriteriaId: "E460AA51-FCDA-46B9-AE97-E6676AA5E194", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", matchCriteriaId: "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the \"host\" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container.", }, { lang: "es", value: "containerd es un tiempo de ejecución de contenedor estándar de la industria y está disponible como demonio para Linux y Windows. En containerd anterior a las versiones 1.3.9 y 1.4.3, la API containerd-shim está expuesta inapropiadamente a los contenedores de red del host. Los controles de acceso para el socket de la API de shim verificaron que el proceso de conexión tuviera un UID efectivo de 0, pero no restringieron de otra manera el acceso al socket de dominio Unix abstracto. Esto permitiría que los contenedores maliciosos se ejecuten en el mismo espacio de nombres de red que el shim, con un UID efectivo de 0 pero con privilegios reducidos, para causar que nuevos procesos se ejecuten con privilegios elevados. Esta vulnerabilidad se ha corregido en containerd versiones 1.3.9 y 1.4.3. Los usuarios deben actualizar a estas versiones tan pronto como se publiquen. Cabe señalar que los contenedores iniciados con una versión anterior de containerd-shim deben detenerse y reiniciarse, ya que los contenedores en ejecución seguirán siendo vulnerables inclusive después de una actualización. Si no proporciona la capacidad para que los usuarios que no son de confianza inicien contenedores en el mismo espacio de nombres de red que el shim (normalmente el espacio de nombres de red \"host\", por ejemplo, con docker run --net=host o hostNetwork: true en un pod de Kubernetes) y ejecutar con un UID efectivo de 0, no es vulnerable a este problema. Si está ejecutando contenedores con una configuración vulnerable, puede denegar el acceso a todos los sockets abstractos con AppArmor agregando una línea similar a denegar unix addr=@**, para su política. Es una buena práctica ejecutar contenedores con un conjunto reducido de privilegios, con un UID distinto de cero y con espacios de nombres aislados. Los encargados de mantenimiento de contenedores no aconsejan compartir espacios de nombres con el host. Reducir el conjunto de mecanismos de aislamiento usados para un contenedor necesariamente aumenta el privilegio de ese contenedor, independientemente del tiempo de ejecución del contenedor que se use para ejecutar ese contenedor", }, ], id: "CVE-2020-15257", lastModified: "2024-11-21T05:05:12.617", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 3.6, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:L/AC:L/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 3.9, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2, impactScore: 2.7, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-12-01T03:15:11.257", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/commit/4a4bb851f5da563ff6e68a83dc837c7699c469ad", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/containerd/containerd/releases/tag/v1.4.3", }, { source: "security-advisories@github.com", tags: [ "Mitigation", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNKXLOLZWO5FMAPX63ZL7JNKTNNT5NQD/", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202105-33", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2021/dsa-4865", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/commit/4a4bb851f5da563ff6e68a83dc837c7699c469ad", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/containerd/containerd/releases/tag/v1.4.3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mitigation", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNKXLOLZWO5FMAPX63ZL7JNKTNNT5NQD/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202105-33", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2021/dsa-4865", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-669", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-669", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-10-04 17:15
Modified
2024-11-21 06:25
Severity ?
Summary
containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This vulnerability has been fixed in containerd 1.4.11 and containerd 1.5.7. Users should update to these version when they are released and may restart containers or update directory permissions to mitigate the vulnerability. Users unable to update should limit access to the host to trusted users. Update directory permission on container bundles directories.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | containerd | * | |
| linuxfoundation | containerd | * | |
| fedoraproject | fedora | 34 | |
| fedoraproject | fedora | 35 | |
| debian | debian_linux | 11.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", matchCriteriaId: "8471080E-7A72-48EE-817A-C3FCEDB777E1", versionEndExcluding: "1.4.11", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", matchCriteriaId: "227778FB-454E-4747-872D-D9D011F9DEDE", versionEndExcluding: "1.5.7", versionStartIncluding: "1.5.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", matchCriteriaId: "A930E247-0B43-43CB-98FF-6CE7B8189835", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", matchCriteriaId: "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", matchCriteriaId: "FA6FEEC2-9F11-4643-8827-749718254FED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This vulnerability has been fixed in containerd 1.4.11 and containerd 1.5.7. Users should update to these version when they are released and may restart containers or update directory permissions to mitigate the vulnerability. Users unable to update should limit access to the host to trusted users. Update directory permission on container bundles directories.", }, { lang: "es", value: "containerd es un tiempo de ejecución de contenedores de código abierto con énfasis en la simplicidad, robustez y portabilidad. Se encontró un bug en containerd en el que los directorios root de los contenedores y algunos plugins tenían permisos insuficientemente restringidos, que permitía a usuarios de Linux sin privilegios un salto de directorio de contenidos y ejecutar programas. Cuando los contenedores incluían programas ejecutables con bits de permiso extendidos (como setuid), los usuarios no privilegiados de Linux podían detectar y ejecutar esos programas. Cuando el UID de un usuario de Linux sin privilegios en el host colisionaba con el propietario o el grupo del archivo dentro de un contenedor, el usuario de Linux sin privilegios en el host podía detectar, leer y modificar esos archivos. Esta vulnerabilidad ha sido corregida en containerd versión 1.4.11 y containerd versión 1.5.7. Los usuarios deben actualizar a estas versiones cuando se publiquen y pueden reiniciar los contenedores o actualizar los permisos de directorio para mitigar la vulnerabilidad. Los usuarios que no puedan actualizar deberían limitar el acceso al host a usuarios confiables. Actualizar los permisos de directorio en los directorios de los paquetes de contenedores", }, ], id: "CVE-2021-41103", lastModified: "2024-11-21T06:25:28.423", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 7.2, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:L/Au:N/C:C/I:C/A:C", version: "2.0", }, exploitabilityScore: 3.9, impactScore: 10, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, exploitabilityScore: 2.5, impactScore: 3.4, source: "security-advisories@github.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-10-04T17:15:08.517", references: [ { source: "security-advisories@github.com", url: "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/commit/5b46e404f6b9f661a205e28d59c982d3634148f8", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/", }, { source: "security-advisories@github.com", url: "https://security.gentoo.org/glsa/202401-31", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2021/dsa-5002", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/commit/5b46e404f6b9f661a205e28d59c982d3634148f8", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.gentoo.org/glsa/202401-31", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2021/dsa-5002", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-22", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-10-16 17:15
Modified
2024-11-21 05:04
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
Summary
In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | containerd | * | |
| linuxfoundation | containerd | 1.3.0 | |
| linuxfoundation | containerd | 1.3.0 | |
| linuxfoundation | containerd | 1.3.0 | |
| linuxfoundation | containerd | 1.3.0 | |
| linuxfoundation | containerd | 1.3.0 | |
| linuxfoundation | containerd | 1.3.0 | |
| linuxfoundation | containerd | 1.3.0 | |
| linuxfoundation | containerd | 1.3.0 | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 18.04 | |
| canonical | ubuntu_linux | 20.04 | |
| debian | debian_linux | 10.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", matchCriteriaId: "0C304363-533E-4DA0-9F40-93E6D86E59CD", versionEndExcluding: "1.2.14", versionStartIncluding: "1.2.0", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:1.3.0:-:*:*:*:*:*:*", matchCriteriaId: "456DE836-AA57-4EFD-A86C-605C7E3F2458", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:1.3.0:beta0:*:*:*:*:*:*", matchCriteriaId: "BF7FDBEC-0537-4A66-849D-C713643D2AE0", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:1.3.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F0B14069-915C-4CA6-BF0C-EC9E8182376F", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:1.3.0:beta2:*:*:*:*:*:*", matchCriteriaId: "CCD383CB-954C-42D3-B1A6-7116BA2CA022", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:1.3.0:rc0:*:*:*:*:*:*", matchCriteriaId: "E34C93C2-DCBD-4F8A-AE8D-4EDF49CE2BAC", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:1.3.0:rc1:*:*:*:*:*:*", matchCriteriaId: "541DDD1F-302B-41C7-A4EC-362E3AEDEDDF", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:1.3.0:rc2:*:*:*:*:*:*", matchCriteriaId: "023E3733-2DF7-4272-A373-65FE6F1C123D", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:1.3.0:rc3:*:*:*:*:*:*", matchCriteriaId: "BBF42CAF-4E8D-46ED-9C14-1EFA57721A72", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", matchCriteriaId: "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", matchCriteriaId: "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", matchCriteriaId: "902B8056-9E37-443B-8905-8AA93E2447FB", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", matchCriteriaId: "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected.", }, { lang: "es", value: "En containerd (un tiempo de ejecución de contenedor estándar de la industria) anterior a la versión 1.2.14, Se presenta una vulnerabilidad de filtrado de credenciales. Si un manifiesto de imagen de contenedor en el formato OCI Image o el formato Docker Image V2 Schema 2 incluye una URL para la ubicación de una capa de imagen específica (también se conoce como “foreign layer”), el solucionador de containerd predeterminado seguirá esa URL para intentar descargarla. En la versión v1.2.x pero no en 1.3.0 o posterior, el solucionador de containerd predeterminado proporcionará sus credenciales de autenticación si el servidor donde se encuentra la URL presenta un código de estado HTTP 401 junto con encabezados HTTP específicos del registro. Si un atacante publica una imagen pública con un manifiesto que indica que una de las capas se extraiga de un servidor web que controlan y engaña a un usuario o sistema para que extraiga la imagen, pueden obtener las credenciales usadas para extraer esa imagen. En algunos casos, puede ser el nombre de usuario y la contraseña del usuario para el registro. En otros casos, estas pueden ser las credenciales adjuntas a la instancia virtual en nube que pueden otorgar acceso a otros recursos en nube en la cuenta. El solucionador de containerd predeterminado es usado por el plugin cri-containerd (que puede ser usado por Kubernetes), la herramienta de desarrollo ctr y otros programas cliente que se han vinculado explícitamente con él. Esta vulnerabilidad ha sido corregida en containerd versión 1.2.14. containerd versión 1.3 y posteriores no están afectados. Si está utilizando containerd versión 1.3 o posterior, no estará afectado. Si está utilizando cri-containerd en la serie 1.2 o anterior, debe asegurarse de obtener solo imágenes de fuentes confiables. Otros tiempos de ejecución de contenedores construidos por encima de containerd pero que no usan el solucionador predeterminado (tal y como Docker) no están afectados", }, ], id: "CVE-2020-15157", lastModified: "2024-11-21T05:04:57.953", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 4.9, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 1.6, impactScore: 4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 1.6, impactScore: 4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-10-16T17:15:11.870", references: [ { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/containerd/containerd/releases/tag/v1.2.14", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/4589-1/", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/4589-2/", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2021/dsa-4865", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/containerd/containerd/releases/tag/v1.2.14", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/4589-1/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/4589-2/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2021/dsa-4865", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-522", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-522", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-03-10 22:15
Modified
2024-11-21 05:48
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
6.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
6.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Summary
In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | containerd | * | |
| linuxfoundation | containerd | * | |
| fedoraproject | fedora | 33 | |
| fedoraproject | fedora | 34 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", matchCriteriaId: "D03A074C-D4A4-4378-94B0-1421F989EAA1", versionEndExcluding: "1.3.10", vulnerable: true, }, { criteria: "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", matchCriteriaId: "703E5B34-065D-40F7-BD1A-C4EC272FEA55", versionEndExcluding: "1.4.4", versionStartIncluding: "1.4.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", matchCriteriaId: "E460AA51-FCDA-46B9-AE97-E6676AA5E194", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", matchCriteriaId: "A930E247-0B43-43CB-98FF-6CE7B8189835", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions.", }, { lang: "es", value: "En containerd (un tiempo de ejecución de contenedor estándar de la industria) anteriores a versiones 1.3.10 y 1.4.4, los contenedores se iniciaron por medio de la implementación de CRI de containerd (por medio de Kubernetes, crictl o cualquier otro cliente de pod/container que use el servicio CRI de containerd) que comparten la misma imagen, puede recibir variables de entorno incorrectas, incluyendo los valores definidos para otros contenedores. Si los contenedores afectados presentan diferentes contextos de seguridad, esto puede permitir que información confidencial sea compartida sin intención. Si no está utilizando la implementación de CRI de containerd (por medio de uno de los mecanismos descritos anteriormente), no es vulnerable a este problema. Si no está iniciando varios contenedores o pods de Kubernetes desde la misma imagen que tienen diferentes variables de entorno, no es vulnerable a este problema. Si no está iniciando varios contenedores o pods de Kubernetes desde la misma imagen en rápida sucesión, presenta menos probabilidades de ser vulnerable a este problema. Esta vulnerabilidad ha sido corregida en containerd versión 1.3.10 y containerd versión 1.4.4. Los usuarios deben actualizar a estas versiones", }, ], id: "CVE-2021-21334", lastModified: "2024-11-21T05:48:02.740", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-03-10T22:15:12.183", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/commit/05f951a3781f4f2c1911b05e61c160e9c30eaa8e", }, { source: "security-advisories@github.com", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/releases/tag/v1.3.10", }, { source: "security-advisories@github.com", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/releases/tag/v1.4.4", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KUE2Z2ZUWBHRU36ZGBD2YSJCYB6ELPXE/", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QIBPKSX5IOWPM3ZPFB3JVLXWDHSZTTWT/", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VTXHA5JOWQRCCUZH7ZQBEYN6KZKJEYSD/", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202105-33", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/commit/05f951a3781f4f2c1911b05e61c160e9c30eaa8e", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/releases/tag/v1.3.10", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/containerd/containerd/releases/tag/v1.4.4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KUE2Z2ZUWBHRU36ZGBD2YSJCYB6ELPXE/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QIBPKSX5IOWPM3ZPFB3JVLXWDHSZTTWT/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VTXHA5JOWQRCCUZH7ZQBEYN6KZKJEYSD/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202105-33", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-668", }, ], source: "security-advisories@github.com", type: "Primary", }, ], }