CVE-2023-25153

2023-02-1615:15:19

CWE-770

GitHub_M

web.nvd.nist.gov

237

cve-2023-25153

containerd

denial of service

nvd

security

image import

CVSS3

6.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

30.2%

JSON

containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.

Affected configurations

Nvd

Vulners

Node

linuxfoundationcontainerdRange<1.5.18

linuxfoundationcontainerdRange1.6.0–1.6.18

VendorProductVersionCPE
linuxfoundationcontainerd*cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
linuxfoundation	containerd	*	cpe:2.3:a:linuxfoundation:containerd::::::::

CNA Affected

[
  {
    "vendor": "containerd",
    "product": "containerd",
    "versions": [
      {
        "version": "< 1.5.18",
        "status": "affected"
      },
      {
        "version": ">= 1.6.0, < 1.6.18",
        "status": "affected"
      }
    ]
  }
]