CVE-2023-25153

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-25153

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-25153.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-25153

Aliases

Related

Published

2023-02-16T15:15:19Z

Modified

2024-09-11T06:12:38.397556Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.

References

Affected packages

Debian:11 / containerd

Package

Name: containerd
Purl: pkg:deb/debian/containerd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.13~ds1-1~deb11u4

Affected versions

1.*

1.4.5~ds1-2

1.4.5~ds1-2+deb11u1

1.4.12~ds1-1~deb11u1

1.4.13~ds1-1~deb11u1

1.4.13~ds1-1~deb11u2

1.4.13~ds1-1~deb11u3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / containerd

Package

Name: containerd
Purl: pkg:deb/debian/containerd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6.18~ds1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / containerd

Package

Name: containerd
Purl: pkg:deb/debian/containerd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6.18~ds1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/containerd/containerd

Affected ranges

Type: GIT
Repo: https://github.com/containerd/containerd
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0c314901076a74a7b797a545d2f462285fdbb8c4

Affected versions

0.*

0.0.2

0.0.3

0.0.4

0.0.5

api/v1.*

api/v1.6.0-beta.1

api/v1.6.0-beta.2

api/v1.6.0-beta.3

v0.*

v0.1.0

v0.2.0

v0.2.3

v1.*

v1.0.0

v1.0.0-alpha0

v1.0.0-alpha1

v1.0.0-alpha2

v1.0.0-alpha3

v1.0.0-alpha4

v1.0.0-alpha5

v1.0.0-alpha6

v1.0.0-beta.0

v1.0.0-beta.1

v1.0.0-beta.2

v1.0.0-beta.3

v1.0.0-rc.0

v1.1.0

v1.1.0-rc.0

v1.1.0-rc.1

v1.1.0-rc.2

v1.2.0

v1.2.0-beta.0

v1.2.0-beta.1

v1.2.0-beta.2

v1.2.0-rc.0

v1.2.0-rc.1

v1.2.0-rc.2

v1.3.0

v1.3.0-beta.0

v1.3.0-beta.1

v1.3.0-beta.2

v1.3.0-rc.0

v1.3.0-rc.1

v1.3.0-rc.2

v1.3.0-rc.3

v1.4.0

v1.4.0-beta.0

v1.4.0-beta.1

v1.4.0-beta.2

v1.4.0-rc.0

v1.4.0-rc.1

v1.5.0

v1.5.0-beta.0

v1.5.0-beta.1

v1.5.0-beta.2

v1.5.0-beta.3

v1.5.0-beta.4

v1.5.0-rc.0

v1.5.0-rc.1

v1.5.0-rc.2

v1.5.0-rc.3

v1.6.0

v1.6.0-beta.0

v1.6.0-beta.1

v1.6.0-beta.2

v1.6.0-beta.3

v1.6.0-beta.4

v1.6.0-beta.5

v1.6.0-rc.0

v1.6.0-rc.1

v1.6.0-rc.2

v1.6.0-rc.3

v1.6.0-rc.4

v1.6.1

v1.6.10

v1.6.11

v1.6.12

v1.6.13

v1.6.14

v1.6.15

v1.6.16

v1.6.17

v1.6.2

v1.6.3

v1.6.4

v1.6.5

v1.6.6

v1.6.7

v1.6.8

v1.6.9