CVE-2022-23648
Public on 2022-02-28
Modified on 2023-01-18
Description
A bug was found in containerd where containers launched through containerd’s CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| HAQM Linux 1 | containerd | 2022-03-01 | ALAS-2022-1568 | Fixed |
| HAQM Linux 2 - Docker Extra | containerd | 2022-03-01 | ALAS2DOCKER-2022-015 | Fixed |
| HAQM Linux 2 - Ecs Extra | containerd | 2022-06-30 | ALAS2ECS-2022-001 | Fixed |
| HAQM Linux 2 - Ecs Extra | containerd | 2023-11-09 | ALAS2ECS-2023-024 | Fixed |
| HAQM Linux 2 - Aws-nitro-enclaves-cli Extra | containerd | 2022-03-04 | ALAS2NITRO-ENCLAVES-2022-015 | Fixed |
| HAQM Linux 2023 | containerd | 2023-02-17 | ALAS2023-2023-079 | Fixed |
| HAQM Linux 2 - Ecs Extra | docker | 2022-06-30 | ALAS2ECS-2022-001 | Fixed |
| HAQM Linux 2 - Ecs Extra | ecs-init | 2022-06-30 | ALAS2ECS-2022-001 | Fixed |
| HAQM Linux 2 - Ecs Extra | runc | 2022-06-30 | ALAS2ECS-2022-001 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| HAQM Linux | CVSSv3 | 5.9 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N |
| NVD | CVSSv2 | 5.0 | AV:N/AC:L/Au:N/C:P/I:N/A:N |
| NVD | CVSSv3 | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |