cbcvebase.
CVE-2022-23648
published 2022-03-03

CVE-2022-23648: containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where…

PriorityP260high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
27.39%
97.8th percentile
containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.

Affected

20 ranges
VendorProductVersion rangeFixed in
containerdcontainerd< 1.4.131.4.13
containerdcontainerd
containerdcontainerd
containerdcontainerd>= 0 < 1.4.13~ds1-1~deb11u11.4.13~ds1-1~deb11u1
containerdcontainerd>= 0 < 1.6.1~ds1-11.6.1~ds1-1
containerdcontainerd>= 0 < 1.6.1~ds1-11.6.1~ds1-1
containerdcontainerd>= 0 < 1.6.1~ds1-11.6.1~ds1-1
containerdcontainerd>= 0 < 1.2.6-0ubuntu1~16.04.6+esm21.2.6-0ubuntu1~16.04.6+esm2
debiancontainerd< containerd 1.6.1~ds1-1 (bookworm)containerd 1.6.1~ds1-1 (bookworm)
debiandebian_linux
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
github.comcontainerd_containerd>= 0 < 1.4.131.4.13
github.comcontainerd_containerd>= 1.5.0 < 1.5.101.5.10
github.comcontainerd_containerd>= 1.6.0 < 1.6.11.6.1
linuxfoundationcontainerd< 1.4.131.4.13
linuxfoundationcontainerd>= 1.5.0 < 1.5.101.5.10
linuxfoundationcontainerd>= 1.6.0 < 1.6.11.6.1
msrccm1_moby-containerd_1.5.9+azure-3_on_cbl_mariner_1.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect exploitation by inspecting OCI image configurations (image blob config) for path traversal sequences in Config.Volumes paths — a Volume path containing traversal (e.g., '../') is the attack primitive used to copy arbitrary host files into the container.
  • The vulnerability is triggered via containerd's CRI plugin when handling OCI image specs containing 'Volumes' with path traversal. Monitor for unexpected file copies from host paths into container-mounted paths, which is the observable effect of the copyExistingContents function being abused.
  • Alert on pod creation events where the container image config includes Config.Volumes entries with path traversal patterns. An attacker with pod creation privileges can trigger the vulnerability without using actual Kubernetes volumes.
  • ·cri-o is not affected by this flaw; Red Hat products that use cri-o as the default runtime are not impacted, reducing detection priority in those environments.
  • ·Exploitation may bypass policy-based enforcement such as Kubernetes Pod Security Policy, meaning PSP-based detections or controls will not prevent or surface this attack.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.