💻
Application Security Cheat Sheet
  • Application Security Cheat Sheet
  • Android Application
    • Overview
      • Application Data & Files
      • Application Package
      • Application Sandbox
      • Application Signing
      • Deployment
      • Package Manager
    • Intent Vulnerabilities
      • Deep Linking Vulnerabilities
    • WebView Vulnerabilities
      • WebResourceResponse Vulnerabilities
      • WebSettings Vulnerabilities
  • CI/CD
    • Dependency
      • Dependency Confusion
      • Dependency Hijaking
      • Typosquatting
    • GitHub
      • GitHub Actions
      • Code owners
      • Dependabot
      • Redirect
      • Releases
  • Cloud
    • AWS
      • Amazon API Gateway
      • Amazon Cognito
      • Amazon S3
  • Container
    • Overview
      • Container Basics
      • Docker Engine
    • Escaping
      • CVE List
      • Exposed Docker Socket
      • Excessive Capabilities
      • Host Networking Driver
      • PID Namespace Sharing
      • Sensitive Mounts
    • Container Analysis Tools
  • Framework
    • Spring
      • Overview
      • Mass Assignment
      • Routing Abuse
      • SpEL Injection
      • Spring Boot Actuators
      • Spring Data Redis Insecure Deserialization
      • Spring View Manipulation
    • React
      • Overview
      • Security Issues
  • Linux
    • Overview
      • Philosophy
      • File
      • File Descriptor
      • I/O Redirection
      • Process
      • Inter Process Communication
      • Shell
      • Signals
      • Socket
      • User Space vs Kernel Space
    • Bash Tips
  • iOS Application
    • Overview
      • Application Data & Files
      • Application Package
      • Application Sandbox
      • Application Signing
      • Deployment
    • Getting Started
      • IPA Patching
      • Source Code Patching
      • Testing with Objection
  • Resources
    • Lists
      • Payloads
      • Wordlists
    • Researching
      • Web Application
      • Write-ups
    • Software
      • AWS Tools
      • Azure Tools
      • Component Analysis
      • Docker Analysis
      • Dynamic Analysis
      • Fuzzing
      • GCP Tools
      • Reverse Engineering
      • Static Analysis
      • Vulnerability Scanning
    • Training
      • Secure Development
  • Web Application
    • Abusing HTTP hop-by-hop Request Headers
    • Broken Authentication
      • Two-Factor Authentication Vulnerabilities
    • Command Injection
      • Argument Injection
    • Content Security Policy
    • Cookie Security
      • Cookie Bomb
      • Cookie Jar Overflow
      • Cookie Tossing
    • CORS Misconfiguration
    • File Upload Vulnerabilities
    • GraphQL Vulnerabilities
    • HTML Injection
      • base
      • iframe
      • link
      • meta
      • target attribute
    • HTTP Header Security
    • HTTP Request Smuggling
    • Improper Rate Limits
    • JavaScript Prototype Pollution
    • JSON Web Token Vulnerabilities
    • OAuth 2.0 Vulnerabilities
      • OpenID Connect Vulnerabilities
    • Race Condition
    • Server Side Request Forgery
      • Post Exploitation
    • SVG Abuse
    • Weak Random Generation
    • Web Cache Poisoning
Powered by GitBook
On this page
  • Containerd
  • CRI-O
  • Linux kernel
  • RunC
  • References
  1. Container
  2. Escaping

CVE List

Containerd

CVE
Title
Affected versions
References

Containers that launched through containerd's CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host

<= 1.4.12

1.5.0 - 1.5.9

1.6.0

Insufficiently restricted permissions on container root and plugin directories

<1.4.11

<1.5.7

Archive package allows chmod of file outside of unpack target directory

<=1.4.7

<=1.5.3

containerd CRI plugin: environment variables can leak between containers

<=1.3.9

<= 1.4.3

containerd-shim API Exposed to Host Network Containers

<=1.3.7

1.4.0

1.4.1

containerd v1.2.x can be coerced into leaking credentials during image pull

< 1.3.0

CRI-O

CVE
Title
Affected versions
References

Rights to deploy a pod on a Kubernetes cluster leads to abusing the kernel.core_pattern parameter

>1.19.0

Linux kernel

CVE
Title
Required capabilities
References

A use-after-free vulnerability in fs/ksmbd/smb2pdu.c

?

A type confusion bug in nft_set_elem_init that leads to a buffer overflow.

CAP_NET_ADMIN

A use-after-free vulnerability in the Netfilter subsystem

?

A use-after-free vulnerability in fs/io_uring.c due to a race condition in io_uring timeouts

-

A heap buffer overflow vulnerability in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c that allows a local attacker with a normal user privilege to overwrite kernel heap objects.

?

A use-after-free vulnerability when an io_uring request is being processed.

A use-after-free vulnerability in route4_change in the net/sched/cls_route.c filter implementation in the Linux kernel.

CAP_NET_ADMIN

An out-of-bounds memory access leads to privilege escalation

CAP_NET_ADMIN

A use-after-free flaw in io_uring subsystem in the way a user sets up a ring with IORING_SETUP_IOPOLL with more than one task completing submissions on this ring.

?

A flaw in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem that allows a local user to cause an out-of-bounds write issue

CAP_NET_ADMIN

An out-of-bounds memory write flaw in watch_queue event notification subsystem that can overwrite parts of the kernel state.

?

A vulnerability which allows overwriting data in arbitrary read-only files and leads to privilege escalation via injecting code into root processes

CAP_DAC_READ_SEARCH

Missing verification allows setting the release_agent file for the process without administrative privileges

CAP_SYS_ADMIN

Disabled AppArmor/SELinux

Disabled Seccomp

A heap-based buffer overflow flaw in the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel

CAP_SYS_ADMIN

A heap out-of-bounds write in Linux Netfilter

CAP_NET_ADMIN

The flaw in handling of eBPF programs leads to escalate privileges

CAP_SYS_MODULE

The bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory

CAP_SYS_ADMIN

The packet_set_ring function in net/packet/af_packet.c does not properly validate certain block-size data, which allows local users to gain privileges via crafted system calls.

CAP_NET_RAW

RunC

CVE
Title
Affected versions
References

mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs

<=1.0.0-rc94

procfs race condition with a shared volume mount

<1.0.0-rc10

Overwrite host runc binary due to file-descriptor mishandling

<=1.0-rc6

References

  • Zeronights 2021: Dmitriy Evdokimov – Container escapes Kubernetes edition

PreviousEscapingNextExposed Docker Socket

Last updated 2 years ago

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

or

>

>

>

>

>

>

>

Container Security Site: Container CVE List
Video
Slides
CVE-2022-23648
Technical Advisory: containerd - Insecure handling of image volumes
PoC for CVE-2022-23648
CVE-2021-41103
Github advisories: GHSA-c2h3-6mxw-7mvq
CVE-2021-32760
Github advisories: GHSA-c72p-9xmj-rx3w
CVE-2021-21334
Github advisories: GHSA-6g2q-w5j3-fwh4
CVE-2020-15257
Technical Advisory: containerd – containerd-shim API Exposed to Host Network Containers (CVE-2020-15257)
CVE-2020-15157
Github advisories: GHSA-742w-89gc-8m9c
CVE-2020-15157 "ContainerDrip" Write-up
CVE-2022-0811
cr8escape: New Vulnerability in CRI-O Container Engine Discovered by CrowdStrike (CVE-2022-0811)
CVE-2022-47939
Linux Kernel ksmbd Use-After-Free Remote Code Execution Vulnerability
CVE-2022-34918
CVE-2022-34918 A crack in the Linux firewall
Github: randorisec/CVE-2022-34918-LPE-PoC
CVE-2022-32250
Linux Kernel Exploit (CVE-2022-32250) with mqueue
SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)
CVE-2022-29582
CVE-2022-29582: An io_uring vulnerability
Github: Ruia-ruia/CVE-2022-29582-Exploit
CVE-2022-27666
CVE-2022-27666: Exploit esp6 modules in Linux kernel
Github: plummm/CVE-2022-27666
CVE-2022-2602
DirtyCred Remastered: how to turn an UAF into Privilege Escalation
Github: LukeGix/CVE-2022-2602
CVE-2022-2588
DirtyCred: Opening Pandora’s Box to Current and Future Container Escapes
Markakd/CVE-2022-2588
CVE-2022-25636
The Discovery and Exploitation of CVE-2022-25636
CVE-2022-1786
CVE-2022-1786 A Journey To The Dawn
CVE-2022-1015
CVE-2022-1015: A validation flaw in Netfilter leading to Local Privilege Escalation
How The Tables Have Turned: An analysis of two new Linux vulnerabilities in nf_tables
CVE-2022-0995
Github: Bonfee/CVE-2022-0995
CVE-2022-0847
The Dirty Pipe Vulnerability
DirtyPipe (CVE-2022-0847) – the new DirtyCoW?
Github: greenhandatsjtu/CVE-2022-0847-Container-Escape
Github: Al1ex/CVE-2022-0847
CVE-2022-0492
New Linux Vulnerability CVE-2022-0492 Affecting Cgroups: Can Containers Escape?
CVE-2022-0185
unshare(CLONE_NEWNS|CLONE_NEWUSER)
CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers
CVE-2022-0185 in Linux Kernel Can Allow Container Escape in Kubernetes
Github: Crusaders-of-Rust/CVE-2022-0185
CVE-2021-22555
CVE-2021-22555: Turning \x00\x00 into 10000$
CVE-2021-31440
CVE-2021-31440: AN INCORRECT BOUNDS CALCULATION IN THE LINUX KERNEL EBPF VERIFIER
CVE-2020-8835
CVE-2020-8835: LINUX KERNEL PRIVILEGE ESCALATION VIA IMPROPER EBPF PROGRAM VERIFICATION
CVE-2017-7308
Exploiting the Linux kernel via packet sockets
CVE-2021-30465
Github advisories: GHSA-c3xm-pvg7-gh7r
runc mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs (CVE-2021-30465)
CVE-2019-19921
Github advisories: GHSA-fh74-hm69-rqjw
CVE-2019-5736
CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host
Breaking out of Docker via runC – Explaining CVE-2019-5736