CVE-2023-25153
Public on 2023-02-16
Modified on 2024-04-29
Description
containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | containerd | Pending Fix | ||
| Amazon Linux 2 - Docker Extra | containerd | 2023-03-30 | ALAS2DOCKER-2023-023 | Fixed |
| Amazon Linux 2 - Docker Extra | containerd | 2024-01-19 | ALAS2DOCKER-2024-035 | Fixed |
| Amazon Linux 2 - Ecs Extra | containerd | 2023-03-30 | ALAS2ECS-2023-002 | Fixed |
| Amazon Linux 2 - Aws-nitro-enclaves-cli Extra | containerd | 2023-03-30 | ALAS2NITRO-ENCLAVES-2023-023 | Fixed |
| Amazon Linux 2 - Aws-nitro-enclaves-cli Extra | containerd | 2024-01-19 | ALAS2NITRO-ENCLAVES-2024-035 | Fixed |
| Amazon Linux 2023 | containerd | 2023-03-30 | ALAS2023-2023-156 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| NVD | CVSSv3 | 6.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |