Improper Access Control

2024-01-1106:12:32

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cri-o

vulnerability

access control

restrictions

annotation

container resources

kubernetes scheduler

denial of service

software

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

24.2%

JSON

CRI-O is vulnerable to Improper Access Control. The vulnerability is due to improper restrictions of the experimental io.kubernetes.cri-o.UnifiedCgroup annotation, which results in container resources being unconfined. This issue can be exploited by an attacker to specify any amount of memory/cpu, circumventing the kubernetes scheduler and potentially resulting in a denial of service within the node.

CPENameOperatorVersion
github.com/cri-o/cri-oeq1.29.0 
github.com/cri-o/cri-ole1.27.2
github.com/cri-o/cri-ole1.28.2
github.com/cri-o/cri-oeq1.29.0 
github.com/cri-o/cri-ole1.27.2
github.com/cri-o/cri-ole1.28.2

Name	Operator	Version
github.com/cri-o/cri-o	eq	1.29.0
github.com/cri-o/cri-o	le	1.27.2
github.com/cri-o/cri-o	le	1.28.2
github.com/cri-o/cri-o	eq	1.29.0
github.com/cri-o/cri-o	le	1.27.2
github.com/cri-o/cri-o	le	1.28.2