CVE-2022-1708 — Vulnetix

Try Vulnetix Request Demo

CVE-2022-1708 PUBLISHED CVSS 7.800000190734863 HIGH

A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.

EPSS 0.59% · 69.1th percentile

Risk Scores

CVSS v2.0

7.800000190734863

EPSS Score

0.59%

69.1th percentile

Affected Products

Vendor	Product	Versions
n/a	CRI-O	Affects cri-o <= 1.24.0, 1.23.2, 1.22.4, Fixed-in 1.24.1, 1.23.3, 1.22.5
redhat	openshift_container_platform	3.11, 4.10, 4.9
redhat	enterprise_linux	9.0, 7.0, 8.0
fedoraproject	fedora	36
github.com	cri-o/cri-o	1.23.0, 1.24.0, 1.24.0
kubernetes	cri-o	1.22.0, 1.21.0, 1.23.0

Timeline

Jun 6, 2022 CVE Published
Jun 8, 2022 EPSS Score
Jun 15, 2022 EPSS Score
Jul 27, 2022 EPSS Score
Sep 12, 2022 EPSS Score
Dec 17, 2022 EPSS Score
Feb 3, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Mar 22, 2023 EPSS Score
May 9, 2023 EPSS Score
Jun 26, 2023 EPSS Score
Aug 13, 2023 EPSS Score

References

Open in Interactive Console →