CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
80.1%
containerd is a container runtime available as a daemon for Linux and
Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and
1.14.12 where containers launched through containerd’s CRI implementation
on Linux with a specially-crafted image configuration could gain access to
read-only copies of arbitrary files and directories on the host. This may
bypass any policy-based enforcement on container setup (including a
Kubernetes Pod Security Policy) and expose potentially sensitive
information. Kubernetes and crictl can both be configured to use
containerd’s CRI implementation. This bug has been fixed in containerd
1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve
the issue.
Author | Note |
---|---|
mdeslaur | While this was fixed in USN-5311-1, a subsequent SRU regressed the security update. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | containerd | < 1.5.5-0ubuntu3~18.04.2 | UNKNOWN |
ubuntu | 20.04 | noarch | containerd | < 1.5.9-0ubuntu1~20.04.4 | UNKNOWN |
ubuntu | 21.10 | noarch | containerd | < 1.5.9-0ubuntu1~21.10.3 | UNKNOWN |
ubuntu | 22.04 | noarch | containerd | < 1.5.9-0ubuntu2 | UNKNOWN |
ubuntu | 16.04 | noarch | containerd | < 1.2.6-0ubuntu1~16.04.6+esm1 | UNKNOWN |
github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7.
launchpad.net/bugs/cve/CVE-2022-23648
nvd.nist.gov/vuln/detail/CVE-2022-23648
security-tracker.debian.org/tracker/CVE-2022-23648
ubuntu.com/security/notices/USN-5311-1
ubuntu.com/security/notices/USN-5311-2
www.cve.org/CVERecord?id=CVE-2022-23648
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
80.1%