Описание
A flaw was found in CRI-O that involves an experimental annotation leading to a container being unconfined. This may allow a pod to specify and get any amount of memory/cpu, circumventing the kubernetes scheduler and potentially resulting in a denial of service in the node.
Отчет
There are two main factors reduce the severity of this vulnerability to Moderate:
- A potential attacker must already have valid credentials
- The OpenShift environment must already be configured to use an experimental feature
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 3.11 | cri-o | Out of support scope | ||
| Red Hat OpenShift Container Platform 4.13 | cri-o | Fixed | RHSA-2024:0195 | 17.01.2024 |
| Red Hat OpenShift Container Platform 4.14 | cri-o | Fixed | RHSA-2024:0207 | 17.01.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
A flaw was found in CRI-O that involves an experimental annotation leading to a container being unconfined. This may allow a pod to specify and get any amount of memory/cpu, circumventing the kubernetes scheduler and potentially resulting in a denial of service in the node.
A flaw was found in CRI-O that involves an experimental annotation leading to a container being unconfined. This may allow a pod to specify and get any amount of memory/cpu, circumventing the kubernetes scheduler and potentially resulting in a denial of service in the node.
A flaw was found in CRI-O that involves an experimental annotation lea ...
CRI-O's pods can break out of resource confinement on cgroupv2
EPSS
6.5 Medium
CVSS3