CVE-2022-23648

HIGH7.5EPSS 6.0%

containerd CRI plugin: Insecure handling of image volumes

Published: 3/2/2022Modified: 2/4/2026

Also known as:GHSA-crp2-qrr5-8pq7CGA-9w43-prw2-8w2jDEBIAN-CVE-2022-23648GO-2022-0344

Description

### Impact A bug was found in containerd where containers launched through containerd’s CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. ### Patches This bug has been fixed in containerd 1.6.1, 1.5.10 and 1.4.13. Users should update to these versions to resolve the issue. ### Workarounds Ensure that only trusted images are used. ### Credits The containerd project would like to thank Felix Wilhelm of Google Project Zero for responsibly disclosing this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/main/SECURITY.md). ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://github.com/containerd/containerd/issues/new/choose) * Email us at [[email protected]](mailto:[email protected])

Affected packages (4)

Debian/containerdfrom 0, < 1.4.13~ds1-1~deb11u1
Debian/containerdfrom 0, < 1.4.13~ds1-1~deb11u1
Go/github.com/containerd/containerdfrom 0, < 1.4.13
Go/github.com/containerd/containerdfrom 0, < 1.4.13, >= 1.5.0, < 1.5.10, >= 1.6.0, < 1.6.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

Affected packages (4)

CVSS scores

References (17)