Containerd
CVE-2023-25153
MEDIUM
Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
AnalysisAI
containerd is an open source container runtime. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.
Technical ContextAI
This vulnerability is classified as Allocation of Resources Without Limits (CWE-770), which allows attackers to exhaust system resources through uncontrolled allocation. containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images. Affected products include: Linuxfoundation Containerd.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Set resource limits, implement rate limiting, validate input sizes.
More in Containerd
View allcontainerd is an open source container runtime. Rated high severity (CVSS 7.8), this vulnerability is low attack complex
containerd is a container runtime available as a daemon for Linux and Windows. Rated high severity (CVSS 7.5), this vuln
Host command execution in containerd's CRI plugin arises because labels from an image config (Dockerfile LABEL instructi
Kubernetes device-plugin and resource-allocation enforcement can be bypassed in containerd by a namespace user holding p
Arbitrary host file disclosure in containerd's CRI plugin lets an attacker read any file on the Kubernetes node via `kub
containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. Rated high se
containerd is an open source container runtime. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploit
containerd is a container runtime. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no auth
In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through con
In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability
Checkpoint image poisoning in containerd's CRI implementation allows an attacker with pod-creation permissions to corrup
containerd is an open source container runtime. Rated medium severity (CVSS 5.5), this vulnerability is low attack compl
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today