Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2023-25153 #1575

Closed
GoVulnBot opened this issue Feb 16, 2023 · 1 comment
Assignees

Comments

@GoVulnBot
Copy link

CVE-2023-25153 references github.com/containerd/containerd, which may be a Go module.

Description:
containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/containerd/containerd
    packages:
      - package: containerd
description: |
    containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
cves:
  - CVE-2023-25153
references:
  - advisory: https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2
  - fix: https://github.com/containerd/containerd/commit/0c314901076a74a7b797a545d2f462285fdbb8c4
  - web: https://github.com/containerd/containerd/releases/tag/v1.5.18
  - web: https://github.com/containerd/containerd/releases/tag/v1.6.18

@timothy-king
Copy link
Contributor

Duplicate of #1573

@timothy-king timothy-king marked this as a duplicate of #1573 Feb 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants