cbcvebase.
CVE-2023-25173
published 2023-02-16

CVE-2023-25173: containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up…

PriorityP341high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.54%
41.4th percentile
containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups.

Affected

22 ranges
VendorProductVersion rangeFixed in
containerdcontainerd< 1.5.181.5.18
containerdcontainerd
containerdcontainerd>= 0 < 1.4.13~ds1-1~deb11u41.4.13~ds1-1~deb11u4
containerdcontainerd>= 0 < 1.6.18~ds1-11.6.18~ds1-1
containerdcontainerd>= 0 < 1.6.18~ds1-11.6.18~ds1-1
containerdcontainerd>= 0 < 1.6.18~ds1-11.6.18~ds1-1
containerdcontainerd>= 0 < 1.6.12-0ubuntu1~20.04.31.6.12-0ubuntu1~20.04.3
containerdcontainerd>= 0 < 1.6.12-0ubuntu1~22.04.31.6.12-0ubuntu1~22.04.3
containerdcontainerd>= 0 < 1.2.6-0ubuntu1~16.04.6+esm41.2.6-0ubuntu1~16.04.6+esm4
containerdcontainerd>= 0 < 1.6.12-0ubuntu1~18.04.1+esm11.6.12-0ubuntu1~18.04.1+esm1
debiancontainerd< containerd 1.6.18~ds1-1 (bookworm)containerd 1.6.18~ds1-1 (bookworm)
github.comcontainerd_containerd>= 0 < 1.5.181.5.18
github.comcontainerd_containerd>= 1.6.0 < 1.6.181.6.18
linuxfoundationcontainerd< 1.5.181.5.18
linuxfoundationcontainerd>= 1.6.0 < 1.6.181.6.18
msrccbl2_k3s_1.24.12-2_on_cbl_mariner_2.0
msrccbl2_moby-containerd_1.6.18-2_on_cbl_mariner_2.0
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
msrccm1_moby-containerd_1.6.6+azure-9_on_cbl_mariner_1.0

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ghsa7.1HIGH
osv7.8HIGH
vendor_msrc7.8HIGH
vendor_ubuntu6.2MEDIUM
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.