Sign In

CVE-2022-23471

SOURCE - github

Summary

### Impact A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. ### Patches This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. ### Workarounds Ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers. ### For more information If you have any questions or comments about this advisory: * Open an issue in containerd * Email us at security@containerd.io To report a security issue in containerd: * Report a new vulnerability * Email us at security@containerd.io

EPSS Score: 0.00079 (0.336)

Common Weakness Enumeration (CWE)

SOURCE - nist

CWE-400

Uncontrolled Resource Consumption

CWE-401

Missing Release of Memory after Effective Lifetime

SOURCE - github

CWE-400

Uncontrolled Resource Consumption

CWE-401

Missing Release of Memory after Effective Lifetime

SOURCE - gitlab

CWE-1035

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-401

Missing Release of Memory after Effective Lifetime

CWE-937

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

Sources (10)

Impacted images

nist

CREATED

UPDATED

SOURCE IDCVE-2022-23471
EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-400CWE-401

CVSS SCORE

6.5medium

github

CREATED

UPDATED

SOURCE IDGHSA-2qjp-425j-52j9
EXPLOITABILITY SCORE

2.1

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-400CWE-401

CVSS SCORE

5.7medium

alpine

CREATED

UPDATED

SOURCE IDCVE-2022-23471
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

debian

CREATED

UPDATED

SOURCE IDCVE-2022-23471
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

ubuntu

CREATED

UPDATED

SOURCE IDCVE-2022-23471
EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

6.5medium

gitlab

CREATED

UPDATED

SOURCE ID

CVE-2022-23471

EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-1035CWE-401CWE-937

CVSS SCORE

6.5medium

amazon

CREATED

UPDATED

SOURCE IDALAS2023-2023-156
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

suse

CREATED

UPDATED

SOURCE IDCVE-2022-23471
EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

6.5medium

chainguard

CREATED

UPDATED

SOURCE ID

CVE-2022-23471

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

wolfi

CREATED

UPDATED

SOURCE ID

CVE-2022-23471

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE