VulnerableCode Package Details - pkg:golang/github.com/cri-o/cri-o@1.23.1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-s6sw-jsfr-xyhv	Incorrect Permission Assignment for Critical Resource in CRI-O An incorrect sysctls validation vulnerability was found in CRI-O 1.18 and earlier. The sysctls from the list of "safe" sysctls specified for the cluster will be applied to the host if an attacker is able to create a pod with a hostIPC and hostNetwork kernel namespace.	CVE-2022-0532 GHSA-jqmc-79gx-7g8p
VCID-w3mr-v5ew-vfcj	Sysctls applied to containers with host IPC or host network namespaces can affect the host ### Impact Before setting the sysctls for a pod, the pods namespaces must be unshared (created). However, in cases where the pod is using a host network or IPC namespace, a bug in CRI-O caused the namespace creating tool [pinns](https://github.com/cri-o/cri-o/tree/main/pinns/) to configure the sysctls of the host. This allows a malicious user to set sysctls on the host, assuming they have access to hostNetwork and hostIPC. Any CRI-O cluster after CRI-O 1.18 that drops the infra container 1.22 and 1.23 clusters drop infra container by default, and are thus vulnerable by default. ### Patches CRI-O versions 1.24.0, 1.23.1, 1.22.2, 1.21.5, 1.20.6, 1.19.5 all have the patches. ### Workarounds Users can set `manage_ns_lifecycle` to false, which causes the sysctls to be configured by the OCI runtime, which typically filter these cases. This option is available in 1.20 and 1.19. Newer versions don't have this option. An admission webhook could also be created to deny pods that use host IPC or network namespaces and also attempt to configure sysctls related to that namespace. ### For more information If you have any questions or comments about this advisory: * Open an issue in [the CRI-O repo](http://github.com/cri-o/cri-o/issues) * To make a report, email your vulnerability to the private [cncf-crio-security@lists.cncf.io](mailto:cncf-crio-security@lists.cncf.io) list with the security details and the details expected for [all CRI-O bug reports](https://github.com/cri-o/cri-o/blob/main/.github/ISSUE_TEMPLATE/bug-report.yml).	GHSA-w2j5-3rcx-vx7x

Vulnerability

Summary

Aliases

VCID-s6sw-jsfr-xyhv

Incorrect Permission Assignment for Critical Resource in CRI-O An incorrect sysctls validation vulnerability was found in CRI-O 1.18 and earlier. The sysctls from the list of "safe" sysctls specified for the cluster will be applied to the host if an attacker is able to create a pod with a hostIPC and hostNetwork kernel namespace.

CVE-2022-0532
GHSA-jqmc-79gx-7g8p

VCID-w3mr-v5ew-vfcj

Sysctls applied to containers with host IPC or host network namespaces can affect the host ### Impact Before setting the sysctls for a pod, the pods namespaces must be unshared (created). However, in cases where the pod is using a host network or IPC namespace, a bug in CRI-O caused the namespace creating tool [pinns](https://github.com/cri-o/cri-o/tree/main/pinns/) to configure the sysctls of the host. This allows a malicious user to set sysctls on the host, assuming they have access to hostNetwork and hostIPC. Any CRI-O cluster after CRI-O 1.18 that drops the infra container 1.22 and 1.23 clusters drop infra container by default, and are thus vulnerable by default. ### Patches CRI-O versions 1.24.0, 1.23.1, 1.22.2, 1.21.5, 1.20.6, 1.19.5 all have the patches. ### Workarounds Users can set `manage_ns_lifecycle` to false, which causes the sysctls to be configured by the OCI runtime, which typically filter these cases. This option is available in 1.20 and 1.19. Newer versions don't have this option. An admission webhook could also be created to deny pods that use host IPC or network namespaces and also attempt to configure sysctls related to that namespace. ### For more information If you have any questions or comments about this advisory: * Open an issue in [the CRI-O repo](http://github.com/cri-o/cri-o/issues) * To make a report, email your vulnerability to the private [cncf-crio-security@lists.cncf.io](mailto:cncf-crio-security@lists.cncf.io) list with the security details and the details expected for [all CRI-O bug reports](https://github.com/cri-o/cri-o/blob/main/.github/ISSUE_TEMPLATE/bug-report.yml).

GHSA-w2j5-3rcx-vx7x

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:06:49.660522+00:00	GithubOSV Importer	Fixing	VCID-w3mr-v5ew-vfcj	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-w2j5-3rcx-vx7x/GHSA-w2j5-3rcx-vx7x.json	38.0.0
2026-04-01T13:06:12.494084+00:00	GithubOSV Importer	Fixing	VCID-s6sw-jsfr-xyhv	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-jqmc-79gx-7g8p/GHSA-jqmc-79gx-7g8p.json	38.0.0

2026-04-01T13:06:49.660522+00:00

GithubOSV Importer

Fixing

VCID-w3mr-v5ew-vfcj

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-w2j5-3rcx-vx7x/GHSA-w2j5-3rcx-vx7x.json

38.0.0

2026-04-01T13:06:12.494084+00:00

GithubOSV Importer

Fixing

VCID-s6sw-jsfr-xyhv

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-jqmc-79gx-7g8p/GHSA-jqmc-79gx-7g8p.json

38.0.0