Containerd
CVE-2023-25173
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well.
This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the "USER $USERNAME" Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to ENTRYPOINT ["su", "-", "user"] to allow su to properly set up supplementary groups.
AnalysisAI
containerd is an open source container runtime. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Incorrect Authorization (CWE-863), which allows attackers to bypass authorization checks to access restricted resources. containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the "USER $USERNAME" Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to ENTRYPOINT ["su", "-", "user"] to allow su to properly set up supplementary groups. Affected products include: Linuxfoundation Containerd.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Review and test authorization logic, implement consistent access control checks, use centralized authorization framework.
More in Containerd
View allcontainerd is a container runtime available as a daemon for Linux and Windows. Rated high severity (CVSS 7.5), this vuln
Host command execution in containerd's CRI plugin arises because labels from an image config (Dockerfile LABEL instructi
Kubernetes device-plugin and resource-allocation enforcement can be bypassed in containerd by a namespace user holding p
Arbitrary host file disclosure in containerd's CRI plugin lets an attacker read any file on the Kubernetes node via `kub
containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. Rated high se
containerd is an open source container runtime. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploit
containerd is a container runtime. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no auth
In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through con
In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability
Checkpoint image poisoning in containerd's CRI implementation allows an attacker with pod-creation permissions to corrup
containerd is an open source container runtime. Rated medium severity (CVSS 5.5), this vulnerability is no authenticatio
containerd is an open source container runtime. Rated medium severity (CVSS 5.5), this vulnerability is low attack compl
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today