search

vipinsun / minifabric

Do fabric network the right and easy way.
Apache License 2.0
0 stars 0 forks source link

CVE-2021-43816 (High) detected in github.com/containerd/Containerd-v1.5.5 - autoclosed #159

Closed mend-bolt-for-github[bot] closed 3 weeks ago

mend-bolt-for-github[bot] commented 9 months ago

CVE-2021-43816 - High Severity Vulnerability

Vulnerable Library - github.com/containerd/Containerd-v1.5.5

An open and reliable container runtime

Library home page: https://proxy.golang.org/github.com/containerd/containerd/@v/v1.5.5.zip

Path to dependency file: /chaincode/cmcc/go/go.mod

Path to vulnerable library: /chaincode/cmcc/go/go.mod

Dependency Hierarchy: - github.com/hyperledger/fabric-v1.4.1 (Root Library) - github.com/fsouza/go-dockerclient-v1.7.3 - github.com/Docker/Docker-v20.10.8+incompatible - :x: **github.com/containerd/Containerd-v1.5.5** (Vulnerable Library)

Found in HEAD commit: 655167764fcdebd1047d2f63249a7596884c4b03

Found in base branch: main

Vulnerability Details

containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.

Publish Date: 2022-01-05

URL: CVE-2021-43816

CVSS 3 Score Details (8.0)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c

Release Date: 2022-01-05

Fix Resolution: v1.5.9

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] commented 3 weeks ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.