CVE List
Containerd
CVE | Title | Affected versions | References |
---|---|---|---|
Insufficiently restricted permissions on container root and plugin directories | <1.4.11 <1.5.7 | ||
Archive package allows chmod of file outside of unpack target directory | <=1.4.7 <=1.5.3 | ||
containerd CRI plugin: environment variables can leak between containers | <=1.3.9 <= 1.4.3 | ||
containerd-shim API Exposed to Host Network Containers | <=1.3.7 1.4.0 1.4.1 | ||
containerd v1.2.x can be coerced into leaking credentials during image pull | < 1.3.0 |
CRI-O
CVE | Title | Affected versions | References |
---|---|---|---|
Rights to deploy a pod on a Kubernetes cluster leads to abusing the |
|
Linux kernel
CVE | Title | Required capabilities | References |
---|---|---|---|
An out-of-bounds memory access leads to privilege escalation | CAP_NET_ADMIN | ||
Missing verification allows setting the | CAP_SYS_ADMIN Disabled AppArmor/SELinux Disabled Seccomp | ||
A heap-based buffer overflow flaw in the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel | CAP_SYS_ADMIN | ||
A heap out-of-bounds write in Linux Netfilter | CAP_NET_ADMIN | ||
The flaw in handling of eBPF programs leads to escalate privileges | CAP_SYS_MODULE | ||
The bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory | CAP_SYS_ADMIN | ||
The packet_set_ring function in net/packet/af_packet.c does not properly validate certain block-size data, which allows local users to gain privileges via crafted system calls. | CAP_NET_RAW |
RunC
CVE | Title | Affected versions | References |
---|---|---|---|
mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs | <=1.0.0-rc94 | ||
procfs race condition with a shared volume mount | <1.0.0-rc10 | ||
Overwrite host runc binary due to file-descriptor mishandling | <=1.0-rc6 |
References
Last updated