Msrc Cbl2 Cri-O 1.22.3-14 On Cbl Mariner 2.0 vulnerabilities

CVE-2024-44337 [MEDIUM] The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion `v0.0.0-20240729232818-a2a9c4f`, which corresponds with commit `a2a The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion `v0.0.0-20240729232818-a2a9c4f`, which corresponds with commit `a2a9c4f76ef5a5c32108e36f7c47f8d310322252`, there was a logical problem in the

CVE-2024-9341 [MEDIUM] CWE-59 Podman: buildah: cri-o: fips crypto-policy directory mounting issue in containers/common go library Podman: buildah: cri-o: fips crypto-policy directory mounting issue in containers/common go library FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date

CVE-2024-9676 [MEDIUM] CWE-22 Podman: buildah: cri-o: symlink traversal vulnerability in the containers/storage library can cause denial of service (dos) Podman: buildah: cri-o: symlink traversal vulnerability in the containers/storage library can cause denial of service (dos) FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linu

CVE-2024-3727 [HIGH] CWE-354 Containers/image: digest type does not guarantee valid type Containers/image: digest type does not guarantee valid type FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with

CVE-2024-3154 [HIGH] CWE-77 Cri-o: arbitrary command injection via pod annotation Cri-o: arbitrary command injection via pod annotation FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the dis

CVE-2023-6476 [MEDIUM] CWE-770 Cri-o: pods are able to break out of resource confinement on cgroupv2 Cri-o: pods are able to break out of resource confinement on cgroupv2 FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open

CVE-2023-5528 [HIGH] CWE-20 Kubernetes - Windows nodes - Insufficient input sanitization in in-tree storage plugin leads to privilege escalation Kubernetes - Windows nodes - Insufficient input sanitization in in-tree storage plugin leads to privilege escalation FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the

CVE-2022-4318 [HIGH] CWE-538 Cri-o: /etc/passwd tampering privesc Cri-o: /etc/passwd tampering privesc FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is com

CVE-2023-42821 [HIGH] CWE-125 github.com/gomarkdown/markdown Out-of-bounds Read while parsing citations github.com/gomarkdown/markdown Out-of-bounds Read while parsing citations FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of th

CVE-2023-0778 [MEDIUM] CWE-367 A Time-of-check Time-of-use (TOCTOU) flaw was found in podman. This issue may allow a malicious user to replace a normal file in a volume with a symlink while exporting the volume, allowing for access A Time-of-check Time-of-use (TOCTOU) flaw was found in podman. This issue may allow a malicious user to replace a normal file in a volume with a symlink while exporting the volume, allowing for access to arbitrary files on the host file system. FAQ: Is Azure Linux th

CVE-2021-43565 [HIGH] The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server. The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Az

CVE-2022-2995 [HIGH] CWE-732 Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affect Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permiss

CVE-2022-1708 [HIGH] CWE-770 A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execu

CVE-2022-0811 [HIGH] CWE-94 A flaw was found in CRI-O in the way it set kernel options for a pod. This issue allows anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime to achieve a container es A flaw was found in CRI-O in the way it set kernel options for a pod. This issue allows anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime to achieve a container escape and arbitrary code execution as root on the cluster node, where th