Improper Input Validation Affecting github.com/cri-o/cri-o/server package, versions <1.26.0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMCRIOCRIOSERVER-3185144
- published 29 Dec 2022
- disclosed 29 Dec 2022
- credit Unknown
Introduced: 29 Dec 2022
CVE-2022-4318 Open this link in a new tabHow to fix?
Upgrade github.com/cri-o/cri-o/server to version 1.26.0 or higher.
Overview
github.com/cri-o/cri-o/server is an OCI-based implementation of Kubernetes Container Runtime Interface
Affected versions of this package are vulnerable to Improper Input Validation such that it is possible to craft an environment variable with newlines to add entries to a container's /etc/passwd. It is possible to circumvent admission validation of username/UID by adding such an entry.
Workaround
Additional security controls like SELinux can prevent any damage a container is able to do with root on the host. Using SELinux is recommended because this class of attack is already possible by manually editing the container's /etc/passwd.