Versio.io

CVE-2022-1708

Common vulnerabilities & exposures (CVE)

CVE databaseCVE database blogpostRelease & EoL database
 
Published at: - 07-06-2022 08:15
Last modified: - 14-06-2022 05:44
Total changes: - 1

Description

A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Low
Attack complexity
Network
Attack vector
High
Availability
None
Confidentiality
None
Integrity
None
Privileges required
Unchanged
Scope
None
User interaction
7.5
Base score
3.9
3.6
Exploitability score
Impact score
 

Verification logic

OR
OR
vendor=kubernetes AND product=cri-o AND versionStartIncluding=1.23.0 AND versionEndExcluding=1.23.3
vendor=kubernetes AND product=cri-o AND versionStartIncluding=1.22.0 AND versionEndExcluding=1.22.5
vendor=kubernetes AND product=cri-o AND versionStartIncluding=1.21.0 AND versionEndExcluding=1.21.8
vendor=kubernetes AND product=cri-o AND versionStartIncluding=1.20.0 AND versionEndExcluding=1.20.8
vendor=kubernetes AND product=cri-o AND versionEndExcluding=1.19.7
vendor=kubernetes AND product=cri-o AND version=1.24.0
OR
vendor=fedoraproject AND product=fedora AND version=36
OR
vendor=Red Hat Enterprise Linux AND product=enterprise_linux AND version=7.0
vendor=Red Hat Enterprise Linux AND product=openshift_container_platform AND version=3.11
vendor=Red Hat Enterprise Linux AND product=enterprise_linux AND version=8.0
vendor=Red Hat Enterprise Linux AND product=openshift_container_platform AND version=4.0
vendor=Red Hat Enterprise Linux AND product=enterprise_linux AND version=9.0
vendor=Red Hat Enterprise Linux AND product=openshift_container_platform AND version=4.10
vendor=Red Hat Enterprise Linux AND product=openshift_container_platform AND version=4.9
 

Reference

 


Keywords

NVD

 

CVE-2022-1708

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures

 

We use cookies to ensure that we give you the best experience on our website. Read privacy policies for more information.