9 matches found
CVE-2026-53488
containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config LABEL instruction in Dockerfile to a container without validation. This may result in executing an arbitrary command on the host, via ...
GHSA-XHF5-7WJV-PQXP containerd CRI — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull
Impact A bug was found in containerd where the CRI plugin propagates labels from an image config LABEL instruction in Dockerfile to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. Patch...
GHSA-R2XF-7JW5-PJG6 Docker MCP Gateway: Argument injection via OCI image label YAML
Summary A maliciously crafted OCI image label can inject arbitrary arguments into the docker run command line constructed by the MCP Gateway. An attacker who controls an image that the victim references via docker://, or that the victim's catalog pulls a snapshot from, can mount the host...
PT-2026-50746
Name of the Vulnerable Software and Affected Versions Docker MCP Plugin affected versions not specified Description A flaw in the OCI image label parsing allows an attacker to inject arbitrary arguments into the docker run command line. This occurs because the io.docker.server.metadata label is...
RHCOS 3 : OpenShift Container Platform 3.9 (RHSA-2018:2013)
The remote Red Hat Enterprise Linux CoreOS 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2013 advisory. - Routing: Malicous Service configuration can bring down routing for an entire shard. CVE-2018-1070 - openshift-ansible: Incorrectly...
OPENSUSE-SU-2024:0269-1 Security update for trivy
trivy was updated to fix the following issues: Update to version 0.54.1: fixflag: incorrect behavior for deprected flag --clear-cache backport: release/v0.54 7285 fixjava: Return error when trying to find a remote pom to avoid segfault backport: release/v0.54 7283 fixplugin: do not call GitHub...
CVE-2023-3384
A flaw was found in the Quay registry. While the image labels created through Quay undergo validation both in the UI and backend by applying a regex validation.py, the same validation is not performed when the label comes from an image. This flaw allows an attacker to publish a malicious image to...
CVE-2023-3384
Technical details about CVE-2023-3384 (affected product/version, root cause, impact, fix) are not provided in the connected documents; monitor for updates.
CVE-2023-3384
A flaw was found in the Quay registry. While the image labels created through Quay undergo validation both in the UI and backend by applying a regex validation.py, the same validation is not performed when the label comes from an image. This flaw allows an attacker to publish a malicious image to...