CVE-2020-15257

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2020-15257
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2020-12-01 03:15:00 UTC
Updated2023-11-07 03:17:00 UTC
Descriptioncontainerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the "host" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container.

Risk And Classification

Problem Types: CWE-669

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Debian Debian Linux 10.0 All All All
Operating System Fedoraproject Fedora 33 All All All
Application Linuxfoundation Containerd All All All All
Application Linuxfoundation Containerd All All All All

References

ReferenceSourceLinkTags
containerd-shim API Exposed to Host Network Containers · Advisory · containerd/containerd · GitHub CONFIRM github.com Mitigation, Third Party Advisory
Merge pull request from GHSA-36xw-fx78-c5r4 · containerd/containerd@4a4bb85 · GitHub MISC github.com Patch, Third Party Advisory
[SECURITY] Fedora 33 Update: containerd-1.4.3-1.fc33 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org Mailing List, Third Party Advisory
Release containerd 1.4.3 · containerd/containerd · GitHub MISC github.com Third Party Advisory
Debian -- Security Information -- DSA-4865-1 docker.io DEBIAN www.debian.org Third Party Advisory
[SECURITY] Fedora 33 Update: containerd-1.4.3-1.fc33 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
containerd: Multiple vulnerabilities (GLSA 202105-33) — Gentoo security GENTOO security.gentoo.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 353047 Amazon Linux Security Advisory for containerd : ALAS2NITRO-ENCLAVES-2021-012
  • 353060 Amazon Linux Security Advisory for containerd : ALAS2DOCKER-2021-012
  • 356880 Amazon Linux Security Advisory for containerd : ALAS2ECS-2023-030
  • 500858 Alpine Linux Security Update for containerd
  • 500868 Alpine Linux Security Update for docker
  • 501594 Alpine Linux Security Update for k3s
  • 504640 Alpine Linux Security Update for containerd
  • 504672 Alpine Linux Security Update for docker
  • 6140365 AWS Bottlerocket Security Update for containerd (GHSA-9cqr-6mvg-w8jv)
  • 671845 EulerOS Security Update for docker-engine (EulerOS-SA-2022-1886)
  • 710081 Gentoo Linux containerd Multiple vulnerabilities (GLSA 202105-33)
  • 750363 OpenSUSE Security Update for containerd, docker, docker-runc, golang-github-docker-libnetwork (openSUSE-SU-2021:0278-1)
  • 982383 Go (go) Security Update for github.com/containerd/containerd/cmd (GHSA-36xw-fx78-c5r4)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report