| Severity |
|
| Remote |
|
| Type |
|
| Description |
| + |
containers launched through containerd’s CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. |
|
| References |
| + |
https://github.com/containerd/containerd/commit/10f428dac7cec44c864e1b830a4623af27a9fc70 |
| + |
https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7 |
| + |
https://github.com/containerd/containerd/releases/tag/v1.6.1 |
|
| Notes |
| + |
Workarounds: Ensure that only trusted images are used. |
|