GO-2023-1574

See a problem?

Source

https://pkg.go.dev/vuln/GO-2023-1574

Import Source

https://vuln.go.dev/ID/GO-2023-1574.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2023-1574

Aliases

Related

Published

2023-02-17T20:52:58Z

Modified

2024-09-11T06:12:24.362864Z

Summary

Privilege escalation via supplementary groups in github.com/containerd/containerd

Details

Supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases and potentially escalate privileges in the container. Uses of the containerd client library may also have improperly setup supplementary groups.

References

Affected packages

Go / github.com/containerd/containerd

Package

Name: github.com/containerd/containerd; View open source insights on deps.dev
Purl: pkg:golang/github.com/containerd/containerd

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5.18

Introduced

1.6.0

Fixed

1.6.18

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/containerd/containerd/oci",
            "symbols": [
                "WithAdditionalGIDs",
                "WithUIDGID",
                "WithUser",
                "WithUserID",
                "WithUsername"
            ]
        },
        {
            "path": "github.com/containerd/containerd/pkg/cri/server",
            "symbols": [
                "criService.CreateContainer",
                "criService.containerSpecOpts",
                "instrumentedAlphaService.CreateContainer",
                "instrumentedService.CreateContainer"
            ]
        }
    ]
}