CVE-2023-25173

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2023-25173
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2023-02-16 15:15:00 UTC
Updated2023-09-15 21:15:00 UTC
Descriptioncontainerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups.

Risk And Classification

Problem Types: CWE-863

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Linuxfoundation Containerd All All All All

References

ReferenceSourceLinkTags
Buildah's incorrect handling of the supplementary groups may lead to data disclosure, modification · CVE-2022-2990 · GitHub Advisory Database · GitHub MISC github.com
[SECURITY] Fedora 39 Update: moby-engine-24.0.5-1.fc39 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org
Merge pull request from GHSA-hmfx-3pcx-653p · containerd/containerd@133f6bb · GitHub MISC github.com
[SECURITY] Fedora 38 Update: moby-engine-24.0.5-1.fc38 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org
Release containerd 1.6.18 · containerd/containerd · GitHub MISC github.com
[SECURITY] Fedora 37 Update: moby-engine-24.0.5-1.fc37 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org
Vulnerability in Linux containers – investigation and mitigation – Bentham’s Gaze MISC www.benthamsgaze.org
Supplementary groups are not set up properly · Advisory · containerd/containerd · GitHub MISC github.com
CRI-O incorrect handling of supplementary groups may lead to sensitive information disclosure · CVE-2022-2995 · GitHub Advisory Database · GitHub MISC github.com
Podman's incorrect handling of the supplementary groups may lead to data disclosure, modification · CVE-2022-2989 · GitHub Advisory Database · GitHub MISC github.com
Release containerd 1.5.18 · containerd/containerd · GitHub MISC github.com
Security vulnerability relating to supplementary group permissions · Advisory · moby/moby · GitHub MISC github.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 161063 Oracle Enterprise Linux Security Update for podman (ELSA-2023-6474)
  • 161105 Oracle Enterprise Linux Security Update for buildah (ELSA-2023-6473)
  • 161175 Oracle Enterprise Linux Security Update for container-tools:ol8 (ELSA-2023-6939)
  • 181846 Debian Security Update for containerd (CVE-2023-25173)
  • 199448 Ubuntu Security Notification for containerd Vulnerabilities (USN-6202-1)
  • 242287 Red Hat Update for buildah (RHSA-2023:6473)
  • 242335 Red Hat Update for podman security (RHSA-2023:6474)
  • 242415 Red Hat Update for container-tools:rhel8 (RHSA-2023:6939)
  • 283789 Fedora Security Update for stargz (FEDORA-2023-ee472c698c)
  • 283793 Fedora Security Update for containerd (FEDORA-2023-aadd08ab96)
  • 283794 Fedora Security Update for containerd (FEDORA-2023-05b39bc048)
  • 284254 Fedora Security Update for stargz (FEDORA-2023-62ce942e75)
  • 284257 Fedora Security Update for containerd (FEDORA-2023-cd000ea847)
  • 285289 Fedora Security Update for moby (FEDORA-2023-b9c1d0e4c5)
  • 354880 Amazon Linux Security Advisory for containerd : ALAS2DOCKER-2023-023
  • 354881 Amazon Linux Security Advisory for containerd : ALAS2NITRO-ENCLAVES-2023-023
  • 355215 Amazon Linux Security Advisory for containerd : ALAS2023-2023-156
  • 355315 Amazon Linux Security Advisory for containerd : ALAS2ECS-2023-002
  • 356384 Amazon Linux Security Advisory for containerd : ALAS2023-2023-374
  • 357051 Amazon Linux Security Advisory for containerd : ALAS2DOCKER-2024-035
  • 357058 Amazon Linux Security Advisory for containerd : ALAS2NITRO-ENCLAVES-2024-035
  • 379641 Alibaba Cloud Linux Security Update for container-tools:rhel8 (ALINUX3-SA-2024:0050)
  • 502839 Alpine Linux Security Update for containerd
  • 6140049 AWS Bottlerocket Security Update for containerd (GHSA-x336-h4c5-wcqv)
  • 672859 EulerOS Security Update for docker-engine (EulerOS-SA-2023-1591)
  • 672969 EulerOS Security Update for docker-engine (EulerOS-SA-2023-1837)
  • 672971 EulerOS Security Update for docker-engine (EulerOS-SA-2023-1864)
  • 673024 EulerOS Security Update for docker-engine (EulerOS-SA-2023-1971)
  • 673027 EulerOS Security Update for docker-engine (EulerOS-SA-2023-1949)
  • 673082 EulerOS Security Update for docker-engine (EulerOS-SA-2023-2142)
  • 673137 EulerOS Security Update for containerd (EulerOS-SA-2023-2285)
  • 673146 EulerOS Security Update for containerd (EulerOS-SA-2023-2261)
  • 755121 SUSE Enterprise Linux Security Update for helm (SUSE-SU-2023:4124-1)
  • 905553 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-containerd (13591)
  • 905559 Common Base Linux Mariner (CBL-Mariner) Security Update for k3s (13570)
  • 905612 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-containerd (13673)
  • 906541 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-containerd (13591-1)
  • 906581 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-containerd (13591-3)
  • 906687 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-containerd (13673-3)
  • 906781 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-containerd (13591-5)
  • 941386 AlmaLinux Security Update for buildah (ALSA-2023:6473)
  • 941399 AlmaLinux Security Update for podman (ALSA-2023:6474)
  • 941481 AlmaLinux Security Update for container-tools:rhel8 (ALSA-2023:6939)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report