<p>Upgrade <code>github.com/containerd/containerd/pkg/process</code> to version 1.3.0-beta.0 or higher.</p>

process package, versions <1.3.0-beta.0

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-GOLANG-GITHUBCOMCONTAINERDCONTAINERDPKGPROCESS-536210
published 28 Nov 2019
disclosed 26 Nov 2018
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 26 Nov 2018

CWE-269 Open this link in a new tab

How to fix?

Upgrade github.com/containerd/containerd/pkg/process to version 1.3.0-beta.0 or higher.

Overview

github.com/containerd/containerd/pkg/process is an open and reliable container runtime.

Affected versions of this package are vulnerable to Improper Privilege Management. Due to the usage of unix.Kill to kill a exec process, the pid in execProcess does not get deleted after a exec process has been stopped. Under certain conditions, it might be possible to for unprivileged process reuse generated pid and gain access to its privileges.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

High
Privileges Required (PR)

Low
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

High
Integrity (I)

None
Availability (A)

None

Improper Privilege Management Affecting github.com/containerd/containerd/pkg/process package, versions <1.3.0-beta.0

Severity

CVSS assessment made by Snyk's Security Team

Introduced: 26 Nov 2018

How to fix?

Overview

References

CVSS Scores

Snyk