Improper Privilege Management Affecting github.com/containerd/containerd/pkg/process package, versions <1.3.0-beta.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Privilege Management vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-GITHUBCOMCONTAINERDCONTAINERDPKGPROCESS-536210
  • published28 Nov 2019
  • disclosed26 Nov 2018
  • creditUnknown

Introduced: 26 Nov 2018

CVE NOT AVAILABLE CWE-269  (opens in a new tab)

How to fix?

Upgrade github.com/containerd/containerd/pkg/process to version 1.3.0-beta.0 or higher.

Overview

github.com/containerd/containerd/pkg/process is an open and reliable container runtime.

Affected versions of this package are vulnerable to Improper Privilege Management. Due to the usage of unix.Kill to kill a exec process, the pid in execProcess does not get deleted after a exec process has been stopped. Under certain conditions, it might be possible to for unprivileged process reuse generated pid and gain access to its privileges.

CVSS Base Scores

version 3.1