7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.1 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
24.1%
What kind of vulnerability is it? Who is impacted?
All versions of CRI-O running on cgroupv2 nodes.
Unchecked access to an experimental annotation allows a container to be unconfined. Back in 2021, support was added to support an experimental annotation that allows a user to request special resources in cgroupv2. It was supposed to be gated by an experimental annotation: io.kubernetes.cri-o.UnifiedCgroup
, which was supposed to be filtered from the list of allowed annotations . However, there is a bug in this code which allows any user to specify this annotation, regardless of whether it’s enabled on the node. The consequences of this are a pod can specify any amount of memory/cpu and get it, circumventing the kubernetes scheduler, and potentially be able to DOS a node.
Has the problem been patched? What versions should users upgrade to?
1.29.1, 1.28.3, 1.27.3
Is there a way for users to fix or remediate the vulnerability without upgrading?
use cgroupv1
Are there any links users can visit to find out more?
CPE | Name | Operator | Version |
---|---|---|---|
github.com/cri-o/cri-o | lt | 1.27.3 | |
github.com/cri-o/cri-o | lt | 1.28.3 | |
github.com/cri-o/cri-o | eq | 1.29.0 |
access.redhat.com/errata/RHSA-2024:0195
access.redhat.com/errata/RHSA-2024:0207
access.redhat.com/security/cve/CVE-2023-6476
bugzilla.redhat.com/show_bug.cgi?id=2253994
github.com/advisories/GHSA-p4rx-7wvg-fwrc
github.com/cri-o/cri-o/blob/main/pkg/config/workloads.go#L103-L107
github.com/cri-o/cri-o/commit/75effcb1a25851a736e82dba1f7d8cee93ee159e
github.com/cri-o/cri-o/pull/4479
github.com/cri-o/cri-o/security/advisories/GHSA-p4rx-7wvg-fwrc
nvd.nist.gov/vuln/detail/CVE-2023-6476
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.1 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
24.1%