Fluid Attacks Database

Description

containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	containerd	>=0 <1.6.18~ds1-1	1.6.18~ds1-1
debian 11	containerd	=1.4.12~ds1-1~deb11u1 \|\| =1.4.13~ds1-1~deb11u1 \|\| =1.4.13~ds1-1~deb11u2 \|\| =1.4.13~ds1-1~deb11u3 \|\| =1.4.5~ds1-2 \|\| =1.4.5~ds1-2+deb11u1 \|\| >=0 <1.4.13~ds1-1~deb11u4	1.4.13~ds1-1~deb11u4
debian 12	containerd	>=0 <1.6.18~ds1-1	1.6.18~ds1-1
debian 14	containerd	>=0 <1.6.18~ds1-1	1.6.18~ds1-1
go	github.com/containerd/containerd	>=0 <1.5.18 \|\| >=1.6.0 <1.6.18	1.5.18, 1.6.18

Aliases

1. CVE-2023-251532. NVD-2023-251533. OSV-DEBIAN-2023-251534. OSV-2023-251535. GHSA-259w-8hf6-59c26. GCVE-2023-251537. SECURITY-TRACKER-CVE-2023-25153

References

1. https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c22. https://github.com/containerd/containerd/commit/0c314901076a74a7b797a545d2f462285fdbb8c43. https://github.com/containerd/containerd/releases/tag/v1.5.184. https://github.com/containerd/containerd/releases/tag/v1.6.185. https://pkg.go.dev/vuln/GO-2023-1573

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.