Insecure handling of image volumes in containerd CRI plugin
Description
containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/containerd/containerdGo | < 1.4.13 | 1.4.13 |
github.com/containerd/containerdGo | >= 1.5.0, < 1.5.10 | 1.5.10 |
github.com/containerd/containerdGo | >= 1.6.0, < 1.6.1 | 1.6.1 |
Affected products
67- osv-coords66 versionspkg:apk/chainguard/ctoppkg:apk/wolfi/ctoppkg:golang/github.com/containerd/containerdpkg:rpm/opensuse/containerd&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/containerd&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/containerd&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/docker&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/docker&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/docker-kubic&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/docker-kubic&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/trivy&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/trivy&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/trivy&distro=openSUSE%20Tumbleweedpkg:rpm/suse/containerd&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/containerd&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Micro%205.0pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP3pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP4pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/containerd&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/containerd&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/containerd&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/docker&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/docker&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Micro%205.0pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP3pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP4pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/docker&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/docker&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/docker&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/trivy&distro=SUSE%20Package%20Hub%2015%20SP3pkg:rpm/suse/trivy&distro=SUSE%20Package%20Hub%2015%20SP4
< 0.7.7-r13+ 65 more
- (no CPE)range: < 0.7.7-r13
- (no CPE)range: < 0.7.7-r13
- (no CPE)range: < 1.4.13
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.4.13-1.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 0.30.4-bp153.8.1
- (no CPE)range: < 0.28.0-bp154.2.3.1
- (no CPE)range: < 0.26.0-1.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.4.13-16.54.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 1.5.11-150000.68.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-98.80.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 20.10.14_ce-150000.163.1
- (no CPE)range: < 0.30.4-bp153.8.1
- (no CPE)range: < 0.28.0-bp154.2.3.1
- Range: < 1.4.13
Patches
Vulnerability mechanics
References
19- github.com/advisories/GHSA-crp2-qrr5-8pq7ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUDQUQBZJGBWJPMRVB6QCCCRF7O3O4PA/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HFTS2EF3S7HNYSNZSEJZIJHPRU7OPUV3/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCCARJ6FU4MWBTXHZNMS7NELPDBIX2VO/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2022-23648ghsaADVISORY
- security.gentoo.org/glsa/202401-31ghsavendor-advisoryWEB
- www.debian.org/security/2022/dsa-5091ghsavendor-advisoryWEB
- packetstormsecurity.com/files/166421/containerd-Image-Volume-Insecure-Handling.htmlghsaWEB
- github.com/containerd/containerd/commit/10f428dac7cec44c864e1b830a4623af27a9fc70ghsaWEB
- github.com/containerd/containerd/releases/tag/v1.4.13ghsaWEB
- github.com/containerd/containerd/releases/tag/v1.5.10ghsaWEB
- github.com/containerd/containerd/releases/tag/v1.6.1ghsaWEB
- github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUDQUQBZJGBWJPMRVB6QCCCRF7O3O4PAghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HFTS2EF3S7HNYSNZSEJZIJHPRU7OPUV3ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCCARJ6FU4MWBTXHZNMS7NELPDBIX2VOghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUDQUQBZJGBWJPMRVB6QCCCRF7O3O4PAghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFTS2EF3S7HNYSNZSEJZIJHPRU7OPUV3ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCCARJ6FU4MWBTXHZNMS7NELPDBIX2VOghsaWEB
News mentions
0No linked articles in our index yet.