<p>Upgrade <code>Wolfi</code> <code>ctop</code> to version 0.7.7-r13 or higher.</p>

CVE-2022-23648 Affecting ctop package, versions <0.7.7-r13

Threat Intelligence

0.84% (83^rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-WOLFILATEST-CTOP-6597064
published 11 Apr 2024
disclosed 3 Mar 2022

Report a new vulnerability Found a mistake?

Introduced: 3 Mar 2022

CVE-2022-23648 Open this link in a new tab

How to fix?

Upgrade Wolfi ctop to version 0.7.7-r13 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream ctop package and not the ctop package as distributed by Wolfi. See How to fix? for Wolfi relevant fixed versions and status.

containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

High
Integrity (I)

None
Availability (A)

None

CVE-2022-23648 Affecting ctop package, versions <0.7.7-r13

Severity

Snyk's Security Team recommends NVD's CVSS assessment