CVE-2022-23648
Public on 2022-02-28
Modified on 2023-01-18
Description
A bug was found in containerd where containers launched through containerd’s CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | containerd | 2022-03-01 | ALAS-2022-1568 | Fixed |
| Amazon Linux 2 - Docker Extra | containerd | 2022-03-01 | ALAS2DOCKER-2022-015 | Fixed |
| Amazon Linux 2 - Ecs Extra | containerd | 2022-06-30 | ALAS2ECS-2022-001 | Fixed |
| Amazon Linux 2 - Ecs Extra | containerd | 2023-11-09 | ALAS2ECS-2023-024 | Fixed |
| Amazon Linux 2 - Aws-nitro-enclaves-cli Extra | containerd | 2022-03-04 | ALAS2NITRO-ENCLAVES-2022-015 | Fixed |
| Amazon Linux 2023 | containerd | 2023-02-17 | ALAS2023-2023-079 | Fixed |
| Amazon Linux 2 - Ecs Extra | docker | 2022-06-30 | ALAS2ECS-2022-001 | Fixed |
| Amazon Linux 2 - Ecs Extra | ecs-init | 2022-06-30 | ALAS2ECS-2022-001 | Fixed |
| Amazon Linux 2 - Ecs Extra | runc | 2022-06-30 | ALAS2ECS-2022-001 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 5.9 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N |
| NVD | CVSSv2 | 5.0 | AV:N/AC:L/Au:N/C:P/I:N/A:N |
| NVD | CVSSv3 | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |