Search for packages
| purl | pkg:deb/debian/containerd@1.4.5~ds1-2 |
| Next non-vulnerable version | 1.5.8~ds1-3 |
| Latest non-vulnerable version | 1.7.24~ds1-4 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1ucu-ewxj-xfhp
Aliases: CVE-2022-31030 GHSA-5ffw-gxpp-mxpf |
Multiple vulnerabilities have been found in containerd, the worst of which could result in privilege escalation. |
Affected by 6 other vulnerabilities. |
|
VCID-3brf-dmwm-qkgj
Aliases: CVE-2023-25173 GHSA-hmfx-3pcx-653p |
Supplementary groups are not set up properly in github.com/containerd/containerd ### Impact A bug was found in containerd where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. ### Patches This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. ### Workarounds Ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups. ### References - https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/ - Docker/Moby: CVE-2022-36109, fixed in Docker 20.10.18 - CRI-O: CVE-2022-2995, fixed in CRI-O 1.25.0 - Podman: CVE-2022-2989, fixed in Podman 3.0.1 and 4.2.0 - Buildah: CVE-2022-2990, fixed in Buildah 1.27.1 Note that CVE IDs apply to a particular implementation, even if an issue is common. ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://github.com/containerd/containerd/security/advisories/new) * Email us at [security@containerd.io](mailto:security@containerd.io) |
Affected by 3 other vulnerabilities. |
|
VCID-9qpc-77v8-13hw
Aliases: CVE-2022-24769 GHSA-2mm7-x5h6-5pvq |
Moby (Docker Engine) started with non-empty inheritable Linux process capabilities ### Impact A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. ### Patches This bug has been fixed in Moby (Docker Engine) 20.10.14. Users should update to this version as soon as possible. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. Refer to `capabilities(7)` for a description of how capabilities work. Note that permitted file capabilities continue to allow for privileges to be raised up to the container's bounding set and that processes may add capabilities to their own inheritable set up to the container's bounding set per the rules described in the manual page. In all cases the container's bounding set provides an upper bound on the capabilities that can be assumed and provides for the container security sandbox. ### Workarounds The entrypoint of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting. ### Credits The Moby project would like to thank [Andrew G. Morgan](https://github.com/AndrewGMorgan) for responsibly disclosing this issue in accordance with the [Moby security policy](https://github.com/moby/moby/blob/master/SECURITY.md). ### For more information If you have any questions or comments about this advisory: * [Open an issue](https://github.com/moby/moby/issues/new) * Email us at [security@docker.com](mailto:security@docker.com) if you think you’ve found a security bug |
Affected by 6 other vulnerabilities. |
|
VCID-f2yv-ut5v-m7ey
Aliases: CVE-2024-25621 GHSA-pwhc-rpq9-4c8w |
containerd affected by a local privilege escalation via wide permissions on CRI directory ### Impact An overly broad default permission vulnerability was found in containerd. - `/var/lib/containerd` was created with the permission bits 0o711, while it should be created with 0o700 - Allowed local users on the host to potentially access the metadata store and the content store - `/run/containerd/io.containerd.grpc.v1.cri` was created with 0o755, while it should be created with 0o700 - Allowed local users on the host to potentially access the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host. - `/run/containerd/io.containerd.sandbox.controller.v1.shim` was created with 0o711, while it should be created with 0o700 The directory paths may differ depending on the daemon configuration. When the `temp` directory path is specified in the daemon configuration, that directory was also created with 0o711, while it should be created with 0o700. ### Patches This bug has been fixed in the following containerd versions: * 2.2.0 * 2.1.5 * 2.0.7 * 1.7.29 Users should update to these versions to resolve the issue. These updates automatically change the permissions of the existing directories. > [!NOTE] > > `/run/containerd` and `/run/containerd/io.containerd.runtime.v2.task` are still created with 0o711. > This is an expected behavior for supporting userns-remapped containers. ### Workarounds The system administrator on the host can manually chmod the directories to not have group or world accessible permisisons: ``` chmod 700 /var/lib/containerd chmod 700 /run/containerd/io.containerd.grpc.v1.cri chmod 700 /run/containerd/io.containerd.sandbox.controller.v1.shim ``` An alternative mitigation would be to run containerd in [rootless mode](https://github.com/containerd/containerd/blob/main/docs/rootless.md). ### Credits The containerd project would like to thank David Leadbeater for responsibly disclosing this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/main/SECURITY.md). ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://github.com/containerd/containerd/security/advisories/new) |
Affected by 0 other vulnerabilities. |
|
VCID-kuwr-ugf2-rke4
Aliases: CVE-2021-41103 GHSA-c2h3-6mxw-7mvq |
Insufficiently restricted permissions on plugin directories ### Impact A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. ### Patches This vulnerability has been fixed in containerd 1.4.11 and containerd 1.5.7. Users should update to these version when they are released and may restart containers or update directory permissions to mitigate the vulnerability. ### Workarounds Limit access to the host to trusted users. Update directory permission on container bundles directories. ### For more information If you have any questions or comments about this advisory: * Open an issue in [github.com/containerd/containerd](https://github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) |
Affected by 6 other vulnerabilities. |
|
VCID-tc5s-4nx2-y7d9
Aliases: CVE-2022-23471 GHSA-2qjp-425j-52j9 |
Multiple vulnerabilities have been found in containerd, the worst of which could result in privilege escalation. |
Affected by 3 other vulnerabilities. |
|
VCID-twq1-g136-9kc3
Aliases: CVE-2024-40635 GHSA-265r-hfxg-fhmg |
containerd has an integer overflow in User ID handling ### Impact A bug was found in containerd where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. ### Patches This bug has been fixed in the following containerd versions: * 2.0.4 (Fixed in https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20) * 1.7.27 (Fixed in https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da) * 1.6.38 (Fixed in https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a) Users should update to these versions to resolve the issue. ### Workarounds Ensure that only trusted images are used and that only trusted users have permissions to import images. ### Credits The containerd project would like to thank [Benjamin Koltermann](https://github.com/p4ck3t0) and [emxll](https://github.com/emxll) for responsibly disclosing this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/main/SECURITY.md). ### References * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40635 ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://github.com/containerd/containerd/security/advisories/new) * Email us at [security@containerd.io](mailto:security@containerd.io) |
Affected by 0 other vulnerabilities. |
|
VCID-xd4a-qav4-uqd1
Aliases: CVE-2025-64329 GHSA-m6hq-p25p-ffr2 |
containerd CRI server: Host memory exhaustion through Attach goroutine leak ### Impact A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. Repetitive calls of CRI Attach (e.g., [`kubectl attach`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_attach/)) could increase the memory usage of containerd. ### Patches This bug has been fixed in the following containerd versions: * 2.2.0 * 2.1.5 * 2.0.7 * 1.7.29 Users should update to these versions to resolve the issue. ### Workarounds Set up an admission controller to control accesses to `pods/attach` resources. e.g., [Validating Admission Policy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/). ### Credits The containerd project would like to thank @Wheat2018 for responsibly disclosing this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/main/SECURITY.md). ### References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329 ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://github.com/containerd/containerd/security/advisories/new) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-yyye-gaug-8uh2
Aliases: CVE-2023-25153 GHSA-259w-8hf6-59c2 |
OCI image importer memory exhaustion in github.com/containerd/containerd ### Impact When importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. ### Patches This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. ### Workarounds Ensure that only trusted images are used and that only trusted users have permissions to import images. ### Credits The containerd project would like to thank [David Korczynski](https://github.com/DavidKorczynski) and [Adam Korczynski](https://github.com/AdamKorcz) of ADA Logics for responsibly disclosing this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/main/SECURITY.md) during a security fuzzing audit sponsored by CNCF. ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://github.com/containerd/containerd/security/advisories/new) * Email us at [security@containerd.io](mailto:security@containerd.io) |
Affected by 3 other vulnerabilities. |
|
VCID-zedh-ff93-yka4
Aliases: CVE-2022-23648 GHSA-crp2-qrr5-8pq7 |
Multiple vulnerabilities have been found in containerd, the worst of which could result in privilege escalation. |
Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||