1680 matches found
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview github.com/containerd/containerd/pkg/cri/server is an industry-standard container runtime with an emphasis on simplicity, robustness and portability. It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer an...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the propagation of unvalidated LABEL values from image configuration to container labels. An attacker can execute arbitrary commands on the host by...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the propagation of unvalidated LABEL values from image configuration to container labels. An attacker can execute arbitrary commands on the host by...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the propagation of unvalidated LABEL values from image configuration to container labels. An attacker can execute arbitrary commands on the host by...
containerd CRI — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull
Impact A bug was found in containerd where the CRI plugin propagates labels from an image config LABEL instruction in Dockerfile to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. Patch...
GHSA-XHF5-7WJV-PQXP containerd CRI — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull
Impact A bug was found in containerd where the CRI plugin propagates labels from an image config LABEL instruction in Dockerfile to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. Patch...
Insufficient Verification of Data Authenticity
Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the CRI checkpoint import. An attacker can cause arbitrary code execution by crafting a checkpoint image that forces the system to pull a malicious image and assign it an arbitrary local...
Insufficient Verification of Data Authenticity
Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the CRI checkpoint import. An attacker can cause arbitrary code execution by crafting a checkpoint image that forces the system to pull a malicious image and assign it an arbitrary local...
Insufficient Verification of Data Authenticity
Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the CRI checkpoint import. An attacker can cause arbitrary code execution by crafting a checkpoint image that forces the system to pull a malicious image and assign it an arbitrary local...
containerd: CRI checkpoint import allows local image tag poisoning
Impact containerd's CRI checkpoint import process contains a vulnerability where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd to pull a malicious...
GHSA-CVXM-645Q-P574 containerd: CRI checkpoint import allows local image tag poisoning
Impact containerd's CRI checkpoint import process contains a vulnerability where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd to pull a malicious...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the group parsing process. An attacker can cause memory exhaustion and disrupt the container runtime API by supplying a maliciously crafted image that triggers unbounded parsing,...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the group parsing process. An attacker can cause memory exhaustion and disrupt the container runtime API by supplying a maliciously crafted image that triggers unbounded parsing,...
GHSA-JPCC-P29G-P8MQ containerd image-triggered runtime DoS via unbounded group parsing
Impact A vulnerability in containerd allows a maliciously crafted image to cause a Denial of Service DoS condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory OOM kill of the containerd process. This renders the container runtime API unavailab...
containerd image-triggered runtime DoS via unbounded group parsing
Impact A vulnerability in containerd allows a maliciously crafted image to cause a Denial of Service DoS condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory OOM kill of the containerd process. This renders the container runtime API unavailab...
Astra Linux – Vulnerability in golang-golang-x-net, containerd-app
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to a Denial-of-Service DoS attack if an attacker provides specially crafted HTML content...
Astra Linux – Vulnerability in golang-golang-x-net, containerd-app
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to a Denial-of-Service DoS attack if an attacker provides specially crafted HTML content...
Astra Linux – Vulnerability in Containerd
Containerd is an open-source container runtime. A bug was discovered in the CRI implementation of Containerd, where programs within a container can cause the Containerd daemon to consume memory indefinitely during the invocation of the ExecSync API. This can result in Containerd consuming all...
Astra Linux – Vulnerability in Containerd
Containerd is a container runtime that is available as a daemon for Linux and Windows. A bug was discovered in Containerd prior to versions 1.6.1, 1.5.10, and 1.14.12. In these versions, containers launched through Containerd’s CRI implementation on Linux, with a specially crafted image...
Astra Linux – Vulnerability in Containerd
Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was discovered in Moby Docker Engine prior to version 20.10.14, where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux...