Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

CVE-2023-25153

Public on 2023-02-16
Modified on 2023-02-17
Description

containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.

Severity
Medium
See what this means
CVSS v3 Base Score
6.2
See breakdown
Continue reading

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 - Docker Extra containerd 2024-01-19 02:20 ALAS2DOCKER-2024-035
Amazon Linux 2 - Docker Extra containerd 2023-03-30 22:08 ALAS2DOCKER-2023-023
Amazon Linux 2 - Ecs Extra containerd 2023-03-30 22:07 ALAS2ECS-2023-002
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra containerd 2024-01-19 02:20 ALAS2NITRO-ENCLAVES-2024-035
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra containerd 2023-03-30 22:07 ALAS2NITRO-ENCLAVES-2023-023
Amazon Linux 2023 containerd 2023-03-30 21:11 ALAS2023-2023-156

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD CVSSv3 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Red Hat: CVE-2023-25153 Mitre: CVE-2023-25153 FAQs regarding Amazon Linux ALAS/CVE Severity