VulnerableCode Package Details - pkg:deb/debian/containerd@1.4.13~ds1-1~deb11u4

Search for packages

Vulnerability	Summary	Fixed by
VCID-158e-vwx6-g3cx Aliases: CVE-2024-40635 GHSA-265r-hfxg-fhmg	containerd: containerd has an integer overflow in User ID handling	1.5.8~ds1-3 Affected by 0 other vulnerabilities. 1.6.24~ds1-1 Affected by 0 other vulnerabilities. 1.7.24~ds1-6 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-158e-vwx6-g3cx
Aliases:
CVE-2024-40635
GHSA-265r-hfxg-fhmg

containerd: containerd has an integer overflow in User ID handling

1.5.8~ds1-3
Affected by 0 other vulnerabilities.

1.6.24~ds1-1
Affected by 0 other vulnerabilities.

1.7.24~ds1-6
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-8a7d-8ma4-aaae	containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers.	CVE-2022-23471 GHSA-2qjp-425j-52j9
VCID-9qvq-4hcd-aaar	containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups.	CVE-2023-25173 GHSA-hmfx-3pcx-653p
VCID-att4-5nrj-aaas	containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.	CVE-2023-25153 GHSA-259w-8hf6-59c2

Vulnerability

Summary

Aliases

VCID-8a7d-8ma4-aaae

containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers.

CVE-2022-23471
GHSA-2qjp-425j-52j9

VCID-9qvq-4hcd-aaar

containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups.

CVE-2023-25173
GHSA-hmfx-3pcx-653p

VCID-att4-5nrj-aaas

containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.

CVE-2023-25153
GHSA-259w-8hf6-59c2

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-06-21T18:49:51.389931+00:00	Debian Oval Importer	Fixing	VCID-att4-5nrj-aaas	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	36.1.3
2025-06-21T08:11:28.866588+00:00	Debian Oval Importer	Fixing	VCID-att4-5nrj-aaas	None	36.1.3
2025-06-21T08:09:56.477614+00:00	Debian Oval Importer	Fixing	VCID-9qvq-4hcd-aaar	None	36.1.3
2025-06-21T06:55:30.137535+00:00	Debian Oval Importer	Fixing	VCID-8a7d-8ma4-aaae	None	36.1.3
2025-06-21T00:18:55.461215+00:00	Debian Importer	Fixing	VCID-8a7d-8ma4-aaae	None	36.1.3
2025-06-08T12:17:00.246715+00:00	Debian Oval Importer	Fixing	VCID-9qvq-4hcd-aaar	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	36.1.0
2025-06-08T11:19:42.105593+00:00	Debian Oval Importer	Fixing	VCID-att4-5nrj-aaas	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	36.1.0
2025-06-08T01:52:46.074494+00:00	Debian Oval Importer	Fixing	VCID-att4-5nrj-aaas	None	36.1.0
2025-06-08T01:51:12.027658+00:00	Debian Oval Importer	Fixing	VCID-9qvq-4hcd-aaar	None	36.1.0
2025-06-08T00:35:09.763671+00:00	Debian Oval Importer	Fixing	VCID-8a7d-8ma4-aaae	None	36.1.0
2025-05-06T18:54:46.942149+00:00	Debian Oval Importer	Affected by	VCID-158e-vwx6-g3cx	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	36.0.0
2025-05-04T06:22:25.612257+00:00	Debian Importer	Affected by	VCID-158e-vwx6-g3cx	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-04-12T22:21:41.091171+00:00	Debian Oval Importer	Fixing	VCID-8a7d-8ma4-aaae	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	36.0.0
2025-04-12T18:02:48.318798+00:00	Debian Oval Importer	Fixing	VCID-9qvq-4hcd-aaar	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	36.0.0
2025-04-12T17:03:39.726227+00:00	Debian Oval Importer	Fixing	VCID-att4-5nrj-aaas	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	36.0.0
2025-04-08T00:24:26.665719+00:00	Debian Oval Importer	Fixing	VCID-att4-5nrj-aaas	None	36.0.0
2025-04-08T00:22:53.467358+00:00	Debian Oval Importer	Fixing	VCID-9qvq-4hcd-aaar	None	36.0.0
2025-04-07T23:07:23.386654+00:00	Debian Oval Importer	Fixing	VCID-8a7d-8ma4-aaae	None	36.0.0
2025-04-04T03:01:25.646483+00:00	Debian Importer	Fixing	VCID-8a7d-8ma4-aaae	None	36.0.0
2025-02-20T18:03:33.033852+00:00	Debian Importer	Fixing	VCID-8a7d-8ma4-aaae	None	35.1.0
2024-11-23T10:48:37.445429+00:00	Debian Importer	Fixing	VCID-8a7d-8ma4-aaae	None	35.0.0
2024-10-10T08:57:57.378188+00:00	Debian Importer	Fixing	VCID-8a7d-8ma4-aaae	None	34.0.2
2024-09-19T15:25:20.810079+00:00	Debian Importer	Fixing	VCID-8a7d-8ma4-aaae	None	34.0.1
2024-04-25T12:27:54.176499+00:00	Debian Importer	Fixing	VCID-8a7d-8ma4-aaae	None	34.0.0rc4
2024-01-11T14:20:58.680789+00:00	Debian Importer	Fixing	VCID-8a7d-8ma4-aaae	None	34.0.0rc2
2024-01-04T23:52:18.430307+00:00	Debian Importer	Fixing	VCID-8a7d-8ma4-aaae	None	34.0.0rc1

2025-06-21T18:49:51.389931+00:00

Debian Oval Importer

Fixing

VCID-att4-5nrj-aaas

https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2

36.1.3

2025-06-21T08:11:28.866588+00:00

Debian Oval Importer

Fixing

Next non-vulnerable version	1.5.8~ds1-3
Latest non-vulnerable version	1.7.24~ds1-6
Risk	3.1