Vulnerability Report: GO-2023-1574
- CVE-2023-25173, GHSA-hmfx-3pcx-653p
- Affects: github.com/containerd/containerd, github.com/containerd/containerd
- Published: Feb 17, 2023
- Modified: Apr 26, 2024
Supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases and potentially escalate privileges in the container. Uses of the containerd client library may also have improperly setup supplementary groups.
For detailed information about this vulnerability, visit https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p.
Affected Packages
-
PathVersionsSymbols
-
from v1.6.0 before v1.6.18
5 affected symbols
-
from v1.6.0 before v1.6.18all symbols
-
before v1.5.18
5 affected symbols
-
before v1.5.18all symbols
Aliases
References
- https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p
- https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4
- https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a
- https://github.com/advisories/GHSA-4wjj-jwc9-2x96
- https://github.com/advisories/GHSA-fjm8-m7m6-2fjp
- https://github.com/advisories/GHSA-phjr-8j92-w5v7
- https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
- https://vuln.go.dev/ID/GO-2023-1574.json
Feedback
See anything missing or incorrect?
Suggest an edit to this report.