csaf_redhat - rhea-2023:7493

rhea-2023:7493

Vulnerability from csaf_redhat

Published

2023-11-27 11:44

Modified

2025-08-07 03:27

Summary

Red Hat Enhancement Advisory: OpenShift sandboxed containers 1.5.0 update

Notes

Topic

OpenShift sandboxed containers 1.5.0 is now available.

Details

OpenShift sandboxed containers support for OpenShift Container Platform provides users with built-in support for running Kata containers as an additional, optional runtime. This advisory contains an update for OpenShift sandboxed containers with enhancements and bug fixes. Space precludes documenting all of the updates to OpenShift sandboxed containers in this advisory. See the Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://access.redhat.com/documentation/en-us/openshift_sandboxed_containers/1.5/html-single/openshift_sandboxed_containers_release_notes/

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "OpenShift sandboxed containers 1.5.0 is now available.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "OpenShift sandboxed containers support for OpenShift Container Platform\nprovides users with built-in support for running Kata containers as an\nadditional, optional runtime.\n\nThis advisory contains an update for OpenShift sandboxed containers with enhancements and bug fixes.\n\nSpace precludes documenting all of the updates to OpenShift sandboxed\ncontainers in this advisory. See the Release Notes documentation,\nwhich will be updated shortly for this release, for details about these\nchanges:\n\nhttps://access.redhat.com/documentation/en-us/openshift_sandboxed_containers/1.5/html-single/openshift_sandboxed_containers_release_notes/",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHEA-2023:7493",
        "url": "https://access.redhat.com/errata/RHEA-2023:7493"
      },
      {
        "category": "external",
        "summary": "KATA-2135",
        "url": "https://issues.redhat.com/browse/KATA-2135"
      },
      {
        "category": "external",
        "summary": "KATA-2251",
        "url": "https://issues.redhat.com/browse/KATA-2251"
      },
      {
        "category": "external",
        "summary": "KATA-2302",
        "url": "https://issues.redhat.com/browse/KATA-2302"
      },
      {
        "category": "external",
        "summary": "KATA-2317",
        "url": "https://issues.redhat.com/browse/KATA-2317"
      },
      {
        "category": "external",
        "summary": "KATA-2321",
        "url": "https://issues.redhat.com/browse/KATA-2321"
      },
      {
        "category": "external",
        "summary": "KATA-2402",
        "url": "https://issues.redhat.com/browse/KATA-2402"
      },
      {
        "category": "external",
        "summary": "KATA-2411",
        "url": "https://issues.redhat.com/browse/KATA-2411"
      },
      {
        "category": "external",
        "summary": "KATA-2451",
        "url": "https://issues.redhat.com/browse/KATA-2451"
      },
      {
        "category": "external",
        "summary": "KATA-2452",
        "url": "https://issues.redhat.com/browse/KATA-2452"
      },
      {
        "category": "external",
        "summary": "KATA-2453",
        "url": "https://issues.redhat.com/browse/KATA-2453"
      },
      {
        "category": "external",
        "summary": "KATA-2454",
        "url": "https://issues.redhat.com/browse/KATA-2454"
      },
      {
        "category": "external",
        "summary": "KATA-2461",
        "url": "https://issues.redhat.com/browse/KATA-2461"
      },
      {
        "category": "external",
        "summary": "KATA-2462",
        "url": "https://issues.redhat.com/browse/KATA-2462"
      },
      {
        "category": "external",
        "summary": "KATA-2463",
        "url": "https://issues.redhat.com/browse/KATA-2463"
      },
      {
        "category": "external",
        "summary": "KATA-2464",
        "url": "https://issues.redhat.com/browse/KATA-2464"
      },
      {
        "category": "external",
        "summary": "KATA-2465",
        "url": "https://issues.redhat.com/browse/KATA-2465"
      },
      {
        "category": "external",
        "summary": "KATA-2466",
        "url": "https://issues.redhat.com/browse/KATA-2466"
      },
      {
        "category": "external",
        "summary": "KATA-2475",
        "url": "https://issues.redhat.com/browse/KATA-2475"
      },
      {
        "category": "external",
        "summary": "KATA-2476",
        "url": "https://issues.redhat.com/browse/KATA-2476"
      },
      {
        "category": "external",
        "summary": "KATA-2515",
        "url": "https://issues.redhat.com/browse/KATA-2515"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhea-2023_7493.json"
      }
    ],
    "title": "Red Hat Enhancement Advisory: OpenShift sandboxed containers 1.5.0 update",
    "tracking": {
      "current_release_date": "2025-08-07T03:27:37+00:00",
      "generator": {
        "date": "2025-08-07T03:27:37+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.6"
        }
      },
      "id": "RHEA-2023:7493",
      "initial_release_date": "2023-11-27T11:44:10+00:00",
      "revision_history": [
        {
          "date": "2023-11-27T11:44:10+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2023-11-27T11:44:10+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-08-07T03:27:37+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "OpenShift Sandboxed Containers 1.5",
                "product": {
                  "name": "OpenShift Sandboxed Containers 1.5",
                  "product_id": "9Base-OSE-OSC-1.5",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift_sandboxed_containers:1.5.0::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Enterprise"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:ceb940eac3a9706d189549d363820f867bf5d3768b26e62aeb247a42e3a0dd93_amd64",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:ceb940eac3a9706d189549d363820f867bf5d3768b26e62aeb247a42e3a0dd93_amd64",
                  "product_id": "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:ceb940eac3a9706d189549d363820f867bf5d3768b26e62aeb247a42e3a0dd93_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-cloud-api-adaptor-rhel9@sha256:ceb940eac3a9706d189549d363820f867bf5d3768b26e62aeb247a42e3a0dd93?arch=amd64\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9\u0026tag=1.5.0-11"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:d0277285d246d2015f0a94df01824801430831cfc767c9ccbb1688a9ec4dd743_amd64",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:d0277285d246d2015f0a94df01824801430831cfc767c9ccbb1688a9ec4dd743_amd64",
                  "product_id": "openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:d0277285d246d2015f0a94df01824801430831cfc767c9ccbb1688a9ec4dd743_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-cloud-api-adaptor-webhook-rhel9@sha256:d0277285d246d2015f0a94df01824801430831cfc767c9ccbb1688a9ec4dd743?arch=amd64\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9\u0026tag=1.5.0-8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-monitor-rhel9@sha256:0cdbaed1c4e0fab4dd2ab109bfeb364997731ae8ef7c4e84b8cac397835f2053_amd64",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-monitor-rhel9@sha256:0cdbaed1c4e0fab4dd2ab109bfeb364997731ae8ef7c4e84b8cac397835f2053_amd64",
                  "product_id": "openshift-sandboxed-containers/osc-monitor-rhel9@sha256:0cdbaed1c4e0fab4dd2ab109bfeb364997731ae8ef7c4e84b8cac397835f2053_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-monitor-rhel9@sha256:0cdbaed1c4e0fab4dd2ab109bfeb364997731ae8ef7c4e84b8cac397835f2053?arch=amd64\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9\u0026tag=1.5.0-9"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:8ead5cc2fba3a375f48748eb6dd2883728e1ac62f8afc6503bc4e034164a535c_amd64",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:8ead5cc2fba3a375f48748eb6dd2883728e1ac62f8afc6503bc4e034164a535c_amd64",
                  "product_id": "openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:8ead5cc2fba3a375f48748eb6dd2883728e1ac62f8afc6503bc4e034164a535c_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-must-gather-rhel9@sha256:8ead5cc2fba3a375f48748eb6dd2883728e1ac62f8afc6503bc4e034164a535c?arch=amd64\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9\u0026tag=1.5.0-11"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-operator-bundle@sha256:e51e8c3e5fc5fc24c1488303e2d92adf101813d1593add947558336c40127dc4_amd64",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-operator-bundle@sha256:e51e8c3e5fc5fc24c1488303e2d92adf101813d1593add947558336c40127dc4_amd64",
                  "product_id": "openshift-sandboxed-containers/osc-operator-bundle@sha256:e51e8c3e5fc5fc24c1488303e2d92adf101813d1593add947558336c40127dc4_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-operator-bundle@sha256:e51e8c3e5fc5fc24c1488303e2d92adf101813d1593add947558336c40127dc4?arch=amd64\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-operator-bundle\u0026tag=1.5.0-45"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-rhel9-operator@sha256:4adb6f488fa6e2ee6e1a59665cecb49cebc0d0de6b8790abb3b1001f40f2a5fd_amd64",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-rhel9-operator@sha256:4adb6f488fa6e2ee6e1a59665cecb49cebc0d0de6b8790abb3b1001f40f2a5fd_amd64",
                  "product_id": "openshift-sandboxed-containers/osc-rhel9-operator@sha256:4adb6f488fa6e2ee6e1a59665cecb49cebc0d0de6b8790abb3b1001f40f2a5fd_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-rhel9-operator@sha256:4adb6f488fa6e2ee6e1a59665cecb49cebc0d0de6b8790abb3b1001f40f2a5fd?arch=amd64\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-rhel9-operator\u0026tag=1.5.0-14"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:112f7dd50d65cdb5046ac16e88ceed3804f6861fc7271db2a2b842b0b4931360_amd64",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:112f7dd50d65cdb5046ac16e88ceed3804f6861fc7271db2a2b842b0b4931360_amd64",
                  "product_id": "openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:112f7dd50d65cdb5046ac16e88ceed3804f6861fc7271db2a2b842b0b4931360_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-podvm-payload-rhel9@sha256:112f7dd50d65cdb5046ac16e88ceed3804f6861fc7271db2a2b842b0b4931360?arch=amd64\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9\u0026tag=1.5.0-12"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:aca3d50071c30b75433140f703f4a0dd8210aa07600ea94c2b1c2fbf27173893_s390x",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:aca3d50071c30b75433140f703f4a0dd8210aa07600ea94c2b1c2fbf27173893_s390x",
                  "product_id": "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:aca3d50071c30b75433140f703f4a0dd8210aa07600ea94c2b1c2fbf27173893_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-cloud-api-adaptor-rhel9@sha256:aca3d50071c30b75433140f703f4a0dd8210aa07600ea94c2b1c2fbf27173893?arch=s390x\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9\u0026tag=1.5.0-11"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:69407c8df88c2b041462f1c111ce348156010af0c483ab3189e776843799b1e5_s390x",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:69407c8df88c2b041462f1c111ce348156010af0c483ab3189e776843799b1e5_s390x",
                  "product_id": "openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:69407c8df88c2b041462f1c111ce348156010af0c483ab3189e776843799b1e5_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-cloud-api-adaptor-webhook-rhel9@sha256:69407c8df88c2b041462f1c111ce348156010af0c483ab3189e776843799b1e5?arch=s390x\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9\u0026tag=1.5.0-8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-monitor-rhel9@sha256:dce657064e74cf9790aeb155ecdf49b336311dd3afc76681f6e979110d8d6b10_s390x",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-monitor-rhel9@sha256:dce657064e74cf9790aeb155ecdf49b336311dd3afc76681f6e979110d8d6b10_s390x",
                  "product_id": "openshift-sandboxed-containers/osc-monitor-rhel9@sha256:dce657064e74cf9790aeb155ecdf49b336311dd3afc76681f6e979110d8d6b10_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-monitor-rhel9@sha256:dce657064e74cf9790aeb155ecdf49b336311dd3afc76681f6e979110d8d6b10?arch=s390x\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9\u0026tag=1.5.0-9"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:91f6a0ab0f45b384850c0fec87a38bf9bf3455cfde4720975e646c542b00d6b7_s390x",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:91f6a0ab0f45b384850c0fec87a38bf9bf3455cfde4720975e646c542b00d6b7_s390x",
                  "product_id": "openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:91f6a0ab0f45b384850c0fec87a38bf9bf3455cfde4720975e646c542b00d6b7_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-must-gather-rhel9@sha256:91f6a0ab0f45b384850c0fec87a38bf9bf3455cfde4720975e646c542b00d6b7?arch=s390x\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9\u0026tag=1.5.0-11"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-operator-bundle@sha256:ab665121f5a9e3a9d7f7db76ff4c9d81bf2868a06a4deb6e13436b3a4f096823_s390x",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-operator-bundle@sha256:ab665121f5a9e3a9d7f7db76ff4c9d81bf2868a06a4deb6e13436b3a4f096823_s390x",
                  "product_id": "openshift-sandboxed-containers/osc-operator-bundle@sha256:ab665121f5a9e3a9d7f7db76ff4c9d81bf2868a06a4deb6e13436b3a4f096823_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-operator-bundle@sha256:ab665121f5a9e3a9d7f7db76ff4c9d81bf2868a06a4deb6e13436b3a4f096823?arch=s390x\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-operator-bundle\u0026tag=1.5.0-45"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-rhel9-operator@sha256:32af14d95384759d0bc71c5a3243de5ed5baad46c115d32d5c87ff2379554067_s390x",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-rhel9-operator@sha256:32af14d95384759d0bc71c5a3243de5ed5baad46c115d32d5c87ff2379554067_s390x",
                  "product_id": "openshift-sandboxed-containers/osc-rhel9-operator@sha256:32af14d95384759d0bc71c5a3243de5ed5baad46c115d32d5c87ff2379554067_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-rhel9-operator@sha256:32af14d95384759d0bc71c5a3243de5ed5baad46c115d32d5c87ff2379554067?arch=s390x\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-rhel9-operator\u0026tag=1.5.0-14"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:989610c8ad1eb4b71be1498e40cca9b76d7edad27712fd165d3564c9d4006078_s390x",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:989610c8ad1eb4b71be1498e40cca9b76d7edad27712fd165d3564c9d4006078_s390x",
                  "product_id": "openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:989610c8ad1eb4b71be1498e40cca9b76d7edad27712fd165d3564c9d4006078_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-podvm-payload-rhel9@sha256:989610c8ad1eb4b71be1498e40cca9b76d7edad27712fd165d3564c9d4006078?arch=s390x\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9\u0026tag=1.5.0-12"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:aca3d50071c30b75433140f703f4a0dd8210aa07600ea94c2b1c2fbf27173893_s390x as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:aca3d50071c30b75433140f703f4a0dd8210aa07600ea94c2b1c2fbf27173893_s390x"
        },
        "product_reference": "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:aca3d50071c30b75433140f703f4a0dd8210aa07600ea94c2b1c2fbf27173893_s390x",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:ceb940eac3a9706d189549d363820f867bf5d3768b26e62aeb247a42e3a0dd93_amd64 as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:ceb940eac3a9706d189549d363820f867bf5d3768b26e62aeb247a42e3a0dd93_amd64"
        },
        "product_reference": "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:ceb940eac3a9706d189549d363820f867bf5d3768b26e62aeb247a42e3a0dd93_amd64",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:69407c8df88c2b041462f1c111ce348156010af0c483ab3189e776843799b1e5_s390x as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:69407c8df88c2b041462f1c111ce348156010af0c483ab3189e776843799b1e5_s390x"
        },
        "product_reference": "openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:69407c8df88c2b041462f1c111ce348156010af0c483ab3189e776843799b1e5_s390x",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:d0277285d246d2015f0a94df01824801430831cfc767c9ccbb1688a9ec4dd743_amd64 as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:d0277285d246d2015f0a94df01824801430831cfc767c9ccbb1688a9ec4dd743_amd64"
        },
        "product_reference": "openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:d0277285d246d2015f0a94df01824801430831cfc767c9ccbb1688a9ec4dd743_amd64",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-monitor-rhel9@sha256:0cdbaed1c4e0fab4dd2ab109bfeb364997731ae8ef7c4e84b8cac397835f2053_amd64 as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-monitor-rhel9@sha256:0cdbaed1c4e0fab4dd2ab109bfeb364997731ae8ef7c4e84b8cac397835f2053_amd64"
        },
        "product_reference": "openshift-sandboxed-containers/osc-monitor-rhel9@sha256:0cdbaed1c4e0fab4dd2ab109bfeb364997731ae8ef7c4e84b8cac397835f2053_amd64",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-monitor-rhel9@sha256:dce657064e74cf9790aeb155ecdf49b336311dd3afc76681f6e979110d8d6b10_s390x as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-monitor-rhel9@sha256:dce657064e74cf9790aeb155ecdf49b336311dd3afc76681f6e979110d8d6b10_s390x"
        },
        "product_reference": "openshift-sandboxed-containers/osc-monitor-rhel9@sha256:dce657064e74cf9790aeb155ecdf49b336311dd3afc76681f6e979110d8d6b10_s390x",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:8ead5cc2fba3a375f48748eb6dd2883728e1ac62f8afc6503bc4e034164a535c_amd64 as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:8ead5cc2fba3a375f48748eb6dd2883728e1ac62f8afc6503bc4e034164a535c_amd64"
        },
        "product_reference": "openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:8ead5cc2fba3a375f48748eb6dd2883728e1ac62f8afc6503bc4e034164a535c_amd64",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:91f6a0ab0f45b384850c0fec87a38bf9bf3455cfde4720975e646c542b00d6b7_s390x as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:91f6a0ab0f45b384850c0fec87a38bf9bf3455cfde4720975e646c542b00d6b7_s390x"
        },
        "product_reference": "openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:91f6a0ab0f45b384850c0fec87a38bf9bf3455cfde4720975e646c542b00d6b7_s390x",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-operator-bundle@sha256:ab665121f5a9e3a9d7f7db76ff4c9d81bf2868a06a4deb6e13436b3a4f096823_s390x as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-operator-bundle@sha256:ab665121f5a9e3a9d7f7db76ff4c9d81bf2868a06a4deb6e13436b3a4f096823_s390x"
        },
        "product_reference": "openshift-sandboxed-containers/osc-operator-bundle@sha256:ab665121f5a9e3a9d7f7db76ff4c9d81bf2868a06a4deb6e13436b3a4f096823_s390x",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-operator-bundle@sha256:e51e8c3e5fc5fc24c1488303e2d92adf101813d1593add947558336c40127dc4_amd64 as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-operator-bundle@sha256:e51e8c3e5fc5fc24c1488303e2d92adf101813d1593add947558336c40127dc4_amd64"
        },
        "product_reference": "openshift-sandboxed-containers/osc-operator-bundle@sha256:e51e8c3e5fc5fc24c1488303e2d92adf101813d1593add947558336c40127dc4_amd64",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:112f7dd50d65cdb5046ac16e88ceed3804f6861fc7271db2a2b842b0b4931360_amd64 as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:112f7dd50d65cdb5046ac16e88ceed3804f6861fc7271db2a2b842b0b4931360_amd64"
        },
        "product_reference": "openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:112f7dd50d65cdb5046ac16e88ceed3804f6861fc7271db2a2b842b0b4931360_amd64",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:989610c8ad1eb4b71be1498e40cca9b76d7edad27712fd165d3564c9d4006078_s390x as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:989610c8ad1eb4b71be1498e40cca9b76d7edad27712fd165d3564c9d4006078_s390x"
        },
        "product_reference": "openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:989610c8ad1eb4b71be1498e40cca9b76d7edad27712fd165d3564c9d4006078_s390x",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-rhel9-operator@sha256:32af14d95384759d0bc71c5a3243de5ed5baad46c115d32d5c87ff2379554067_s390x as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-rhel9-operator@sha256:32af14d95384759d0bc71c5a3243de5ed5baad46c115d32d5c87ff2379554067_s390x"
        },
        "product_reference": "openshift-sandboxed-containers/osc-rhel9-operator@sha256:32af14d95384759d0bc71c5a3243de5ed5baad46c115d32d5c87ff2379554067_s390x",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-rhel9-operator@sha256:4adb6f488fa6e2ee6e1a59665cecb49cebc0d0de6b8790abb3b1001f40f2a5fd_amd64 as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-rhel9-operator@sha256:4adb6f488fa6e2ee6e1a59665cecb49cebc0d0de6b8790abb3b1001f40f2a5fd_amd64"
        },
        "product_reference": "openshift-sandboxed-containers/osc-rhel9-operator@sha256:4adb6f488fa6e2ee6e1a59665cecb49cebc0d0de6b8790abb3b1001f40f2a5fd_amd64",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-25173",
      "cwe": {
        "id": "CWE-842",
        "name": "Placement of User into Incorrect Group"
      },
      "discovery_date": "2023-03-01T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:aca3d50071c30b75433140f703f4a0dd8210aa07600ea94c2b1c2fbf27173893_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:ceb940eac3a9706d189549d363820f867bf5d3768b26e62aeb247a42e3a0dd93_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:69407c8df88c2b041462f1c111ce348156010af0c483ab3189e776843799b1e5_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:d0277285d246d2015f0a94df01824801430831cfc767c9ccbb1688a9ec4dd743_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-monitor-rhel9@sha256:0cdbaed1c4e0fab4dd2ab109bfeb364997731ae8ef7c4e84b8cac397835f2053_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-monitor-rhel9@sha256:dce657064e74cf9790aeb155ecdf49b336311dd3afc76681f6e979110d8d6b10_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:8ead5cc2fba3a375f48748eb6dd2883728e1ac62f8afc6503bc4e034164a535c_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:91f6a0ab0f45b384850c0fec87a38bf9bf3455cfde4720975e646c542b00d6b7_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-operator-bundle@sha256:ab665121f5a9e3a9d7f7db76ff4c9d81bf2868a06a4deb6e13436b3a4f096823_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-operator-bundle@sha256:e51e8c3e5fc5fc24c1488303e2d92adf101813d1593add947558336c40127dc4_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:112f7dd50d65cdb5046ac16e88ceed3804f6861fc7271db2a2b842b0b4931360_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:989610c8ad1eb4b71be1498e40cca9b76d7edad27712fd165d3564c9d4006078_s390x"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2174485"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in containerd, where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases. This issue can allow access to sensitive information or gain the ability to execute code in that container.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "containerd: Supplementary groups are not set up properly",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The following products include containerd related code, but do not use the specific Go packages impacted by this CVE, `containerd/cri/server` and `containerd/oci`. This CVE is therefore rated Low for these products:\n\n* OpenShift Container Platform\n* OpenShift Service Mesh\n* OpenShift API for Data Protection\n* Red Hat Advanced Cluster Security\n* Red Hat Advanced Cluster Management for Kubernetes",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-rhel9-operator@sha256:32af14d95384759d0bc71c5a3243de5ed5baad46c115d32d5c87ff2379554067_s390x",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-rhel9-operator@sha256:4adb6f488fa6e2ee6e1a59665cecb49cebc0d0de6b8790abb3b1001f40f2a5fd_amd64"
        ],
        "known_not_affected": [
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:aca3d50071c30b75433140f703f4a0dd8210aa07600ea94c2b1c2fbf27173893_s390x",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:ceb940eac3a9706d189549d363820f867bf5d3768b26e62aeb247a42e3a0dd93_amd64",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:69407c8df88c2b041462f1c111ce348156010af0c483ab3189e776843799b1e5_s390x",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:d0277285d246d2015f0a94df01824801430831cfc767c9ccbb1688a9ec4dd743_amd64",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-monitor-rhel9@sha256:0cdbaed1c4e0fab4dd2ab109bfeb364997731ae8ef7c4e84b8cac397835f2053_amd64",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-monitor-rhel9@sha256:dce657064e74cf9790aeb155ecdf49b336311dd3afc76681f6e979110d8d6b10_s390x",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:8ead5cc2fba3a375f48748eb6dd2883728e1ac62f8afc6503bc4e034164a535c_amd64",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:91f6a0ab0f45b384850c0fec87a38bf9bf3455cfde4720975e646c542b00d6b7_s390x",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-operator-bundle@sha256:ab665121f5a9e3a9d7f7db76ff4c9d81bf2868a06a4deb6e13436b3a4f096823_s390x",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-operator-bundle@sha256:e51e8c3e5fc5fc24c1488303e2d92adf101813d1593add947558336c40127dc4_amd64",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:112f7dd50d65cdb5046ac16e88ceed3804f6861fc7271db2a2b842b0b4931360_amd64",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:989610c8ad1eb4b71be1498e40cca9b76d7edad27712fd165d3564c9d4006078_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-25173"
        },
        {
          "category": "external",
          "summary": "RHBZ#2174485",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2174485"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-25173",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-25173"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-25173",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25173"
        },
        {
          "category": "external",
          "summary": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a",
          "url": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a"
        },
        {
          "category": "external",
          "summary": "https://github.com/containerd/containerd/releases/tag/v1.5.18",
          "url": "https://github.com/containerd/containerd/releases/tag/v1.5.18"
        },
        {
          "category": "external",
          "summary": "https://github.com/containerd/containerd/releases/tag/v1.6.18",
          "url": "https://github.com/containerd/containerd/releases/tag/v1.6.18"
        },
        {
          "category": "external",
          "summary": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p",
          "url": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p"
        },
        {
          "category": "external",
          "summary": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/",
          "url": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/"
        }
      ],
      "release_date": "2023-02-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-11-27T11:44:10+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-rhel9-operator@sha256:32af14d95384759d0bc71c5a3243de5ed5baad46c115d32d5c87ff2379554067_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-rhel9-operator@sha256:4adb6f488fa6e2ee6e1a59665cecb49cebc0d0de6b8790abb3b1001f40f2a5fd_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHEA-2023:7493"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:aca3d50071c30b75433140f703f4a0dd8210aa07600ea94c2b1c2fbf27173893_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:ceb940eac3a9706d189549d363820f867bf5d3768b26e62aeb247a42e3a0dd93_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:69407c8df88c2b041462f1c111ce348156010af0c483ab3189e776843799b1e5_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:d0277285d246d2015f0a94df01824801430831cfc767c9ccbb1688a9ec4dd743_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-monitor-rhel9@sha256:0cdbaed1c4e0fab4dd2ab109bfeb364997731ae8ef7c4e84b8cac397835f2053_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-monitor-rhel9@sha256:dce657064e74cf9790aeb155ecdf49b336311dd3afc76681f6e979110d8d6b10_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:8ead5cc2fba3a375f48748eb6dd2883728e1ac62f8afc6503bc4e034164a535c_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:91f6a0ab0f45b384850c0fec87a38bf9bf3455cfde4720975e646c542b00d6b7_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-operator-bundle@sha256:ab665121f5a9e3a9d7f7db76ff4c9d81bf2868a06a4deb6e13436b3a4f096823_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-operator-bundle@sha256:e51e8c3e5fc5fc24c1488303e2d92adf101813d1593add947558336c40127dc4_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:112f7dd50d65cdb5046ac16e88ceed3804f6861fc7271db2a2b842b0b4931360_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:989610c8ad1eb4b71be1498e40cca9b76d7edad27712fd165d3564c9d4006078_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-rhel9-operator@sha256:32af14d95384759d0bc71c5a3243de5ed5baad46c115d32d5c87ff2379554067_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-rhel9-operator@sha256:4adb6f488fa6e2ee6e1a59665cecb49cebc0d0de6b8790abb3b1001f40f2a5fd_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "containerd: Supplementary groups are not set up properly"
    }
  ]
}

CVE-2023-25173 (GCVE-0-2023-25173)

Vulnerability from cvelistv5

Published

2023-02-16 14:09

Modified

2025-03-10 21:10

Severity ?

5.3 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-863 - Incorrect Authorization

Summary

containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups.

References

►

URL

Tags

	https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p	x_refsource_CONFIRM
	https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4	x_refsource_MISC
	https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a	x_refsource_MISC
	https://github.com/advisories/GHSA-4wjj-jwc9-2x96	x_refsource_MISC
	https://github.com/advisories/GHSA-fjm8-m7m6-2fjp	x_refsource_MISC
	https://github.com/advisories/GHSA-phjr-8j92-w5v7	x_refsource_MISC
	https://github.com/containerd/containerd/releases/tag/v1.5.18	x_refsource_MISC
	https://github.com/containerd/containerd/releases/tag/v1.6.18	x_refsource_MISC
	https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/

Impacted products

	Vendor	Product	Version
	containerd	containerd	Version: < 1.5.18 Version: >= 1.6.0, < 1.6.18

Show details on NVD website