Closed
Description
CVE-2023-25153 references github.com/containerd/containerd, which may be a Go module.
Description:
containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
References:
- NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-25153
- JSON: https://github.com/CVEProject/cvelist/tree/58b1ebeb511027c67b6161fcb4218e53404d4121/2023/25xxx/CVE-2023-25153.json
- advisory: GHSA-259w-8hf6-59c2
- fix: containerd/containerd@0c31490
- web: https://github.com/containerd/containerd/releases/tag/v1.5.18
- web: https://github.com/containerd/containerd/releases/tag/v1.6.18
- Imported by: https://pkg.go.dev/github.com/containerd/containerd?tab=importedby
Cross references:
- Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2021-43816 #278 EFFECTIVELY_PRIVATE
- Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2022-23648 #344 EFFECTIVELY_PRIVATE
- Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2022-31030 #482 EFFECTIVELY_PRIVATE
- Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd/cmd: GHSA-36xw-fx78-c5r4 #784 NOT_IMPORTABLE
- Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: GHSA-742w-89gc-8m9c #803 NOT_IMPORTABLE
- Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2021-32760, GHSA-c72p-9xmj-rx3w #921 NOT_IMPORTABLE
- Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2021-41103, GHSA-c2h3-6mxw-7mvq #938 NOT_IMPORTABLE
- Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2022-23471 #1147 EFFECTIVELY_PRIVATE
See doc/triage.md for instructions on how to triage this report.
modules:
- module: github.com/containerd/containerd
packages:
- package: containerd
description: |
containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
cves:
- CVE-2023-25153
references:
- advisory: https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2
- fix: https://github.com/containerd/containerd/commit/0c314901076a74a7b797a545d2f462285fdbb8c4
- web: https://github.com/containerd/containerd/releases/tag/v1.5.18
- web: https://github.com/containerd/containerd/releases/tag/v1.6.18