rpm package
suse/containerd&distro=SUSE Linux Enterprise Module for Containers 12
pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012
Vulnerabilities (44)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-21334 | — | < 1.4.4-16.38.1 | 1.4.4-16.38.1 | Mar 10, 2021 | In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may | ||
| CVE-2021-21284 | — | < 1.3.9-16.35.1 | 1.3.9-16.35.1 | Feb 2, 2021 | In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesy | ||
| CVE-2021-21285 | — | < 1.3.9-16.35.1 | 1.3.9-16.35.1 | Feb 2, 2021 | In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing. | ||
| CVE-2020-15257 | — | < 1.3.9-16.32.1 | 1.3.9-16.32.1 | Dec 1, 2020 | containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified tha | ||
| CVE-2020-12912 | — | < 1.7.8-16.88.1 | 1.7.8-16.88.1 | Nov 12, 2020 | A potential vulnerability in the AMD extension to Linux "hwmon" service may allow an attacker to use the Linux-based Running Average Power Limit (RAPL) interface to show various side channel attacks. In line with industry partners, AMD has updated the RAPL interface to require pr | ||
| CVE-2020-8695 | — | < 1.7.8-16.88.1 | 1.7.8-16.88.1 | Nov 12, 2020 | Observable discrepancy in the RAPL interface for some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access. | ||
| CVE-2020-8694 | — | < 1.7.8-16.88.1 | 1.7.8-16.88.1 | Nov 12, 2020 | Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. | ||
| CVE-2020-15157 | — | < 1.3.9-16.35.1 | 1.3.9-16.35.1 | Oct 16, 2020 | In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise | ||
| CVE-2020-13401 | — | < 1.2.13-16.29.1 | 1.2.13-16.29.1 | Jun 2, 2020 | An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service. | ||
| CVE-2019-19921 | — | < 1.4.4-16.38.1 | 1.4.4-16.38.1 | Feb 12, 2020 | runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vul | ||
| CVE-2019-16884 | — | < 1.2.10-16.26.1 | 1.2.10-16.26.1 | Sep 25, 2019 | runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory. | ||
| CVE-2019-14271 | — | < 1.2.6-16.23.1 | 1.2.6-16.23.1 | Jul 29, 2019 | In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container. | ||
| CVE-2019-13509 | — | < 1.2.6-16.23.1 | 1.2.6-16.23.1 | Jul 18, 2019 | In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non | ||
| CVE-2019-5736 | — | < 1.2.2-16.14.2 | 1.2.2-16.14.2 | Feb 11, 2019 | runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new conta | ||
| CVE-2019-6486 | — | < 1.2.5-16.17.2 | 1.2.5-16.17.2 | Jan 24, 2019 | Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks. | ||
| CVE-2018-16875 | — | < 1.2.2-16.14.2 | 1.2.2-16.14.2 | Dec 14, 2018 | The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates | ||
| CVE-2018-16874 | — | < 1.2.2-16.14.2 | 1.2.2-16.14.2 | Dec 14, 2018 | In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but | ||
| CVE-2018-16873 | — | < 1.2.2-16.14.2 | 1.2.2-16.14.2 | Dec 14, 2018 | In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPA | ||
| CVE-2018-10892 | — | < 1.2.6-16.23.1 | 1.2.6-16.23.1 | Jul 6, 2018 | The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling bluetooth or turning up/down keyboard brightness. | ||
| CVE-2017-16539 | Med | 5.9 | < 0.2.9+gitr706_06b9cb351610-16.8.1 | 0.2.9+gitr706_06b9cb351610-16.8.1 | Nov 4, 2017 | The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-dev |
- CVE-2021-21334Mar 10, 2021affected < 1.4.4-16.38.1fixed 1.4.4-16.38.1
In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may
- CVE-2021-21284Feb 2, 2021affected < 1.3.9-16.35.1fixed 1.3.9-16.35.1
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesy
- CVE-2021-21285Feb 2, 2021affected < 1.3.9-16.35.1fixed 1.3.9-16.35.1
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.
- CVE-2020-15257Dec 1, 2020affected < 1.3.9-16.32.1fixed 1.3.9-16.32.1
containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified tha
- CVE-2020-12912Nov 12, 2020affected < 1.7.8-16.88.1fixed 1.7.8-16.88.1
A potential vulnerability in the AMD extension to Linux "hwmon" service may allow an attacker to use the Linux-based Running Average Power Limit (RAPL) interface to show various side channel attacks. In line with industry partners, AMD has updated the RAPL interface to require pr
- CVE-2020-8695Nov 12, 2020affected < 1.7.8-16.88.1fixed 1.7.8-16.88.1
Observable discrepancy in the RAPL interface for some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access.
- CVE-2020-8694Nov 12, 2020affected < 1.7.8-16.88.1fixed 1.7.8-16.88.1
Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
- CVE-2020-15157Oct 16, 2020affected < 1.3.9-16.35.1fixed 1.3.9-16.35.1
In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise
- CVE-2020-13401Jun 2, 2020affected < 1.2.13-16.29.1fixed 1.2.13-16.29.1
An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service.
- CVE-2019-19921Feb 12, 2020affected < 1.4.4-16.38.1fixed 1.4.4-16.38.1
runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vul
- CVE-2019-16884Sep 25, 2019affected < 1.2.10-16.26.1fixed 1.2.10-16.26.1
runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.
- CVE-2019-14271Jul 29, 2019affected < 1.2.6-16.23.1fixed 1.2.6-16.23.1
In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.
- CVE-2019-13509Jul 18, 2019affected < 1.2.6-16.23.1fixed 1.2.6-16.23.1
In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non
- CVE-2019-5736Feb 11, 2019affected < 1.2.2-16.14.2fixed 1.2.2-16.14.2
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new conta
- CVE-2019-6486Jan 24, 2019affected < 1.2.5-16.17.2fixed 1.2.5-16.17.2
Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.
- CVE-2018-16875Dec 14, 2018affected < 1.2.2-16.14.2fixed 1.2.2-16.14.2
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates
- CVE-2018-16874Dec 14, 2018affected < 1.2.2-16.14.2fixed 1.2.2-16.14.2
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but
- CVE-2018-16873Dec 14, 2018affected < 1.2.2-16.14.2fixed 1.2.2-16.14.2
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPA
- CVE-2018-10892Jul 6, 2018affected < 1.2.6-16.23.1fixed 1.2.6-16.23.1
The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling bluetooth or turning up/down keyboard brightness.
- affected < 0.2.9+gitr706_06b9cb351610-16.8.1fixed 0.2.9+gitr706_06b9cb351610-16.8.1
The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-dev
Page 2 of 3