# CVE列表 ## Containerd | CVE | 标题 | 受影响版本 | 参考资料 | | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------- | ------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [CVE-2022-23648](https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7) | 通过containerd的CRI实现启动的容器,如果使用特殊构造的镜像配置,可以访问主机上任意文件和目录的只读副本 |

<= 1.4.12

1.5.0 - 1.5.9

1.6.0

|

> 技术报告:containerd - 镜像卷的不安全处理

> CVE-2022-23648的PoC

| | [CVE-2021-41103](https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq) | 容器根目录和插件目录的权限限制不足 |

<1.4.11

<1.5.7

| [Github公告:GHSA-c2h3-6mxw-7mvq](https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq) | | [CVE-2021-32760](https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w) | 归档包允许对解压目标目录之外的文件进行chmod操作 |

<=1.4.7

<=1.5.3

| [Github公告:GHSA-c72p-9xmj-rx3w](https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w) | | [CVE-2021-21334](https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4) | containerd CRI插件:环境变量可能在容器间泄露 |

<=1.3.9

<= 1.4.3

| [Github公告:GHSA-6g2q-w5j3-fwh4](https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4) | | [CVE-2020-15257](https://research.nccgroup.com/2020/11/30/technical-advisory-containerd-containerd-shim-api-exposed-to-host-network-containers-cve-2020-15257/) | containerd-shim API暴露给主机网络容器 |

<=1.3.7

1.4.0

1.4.1

| [技术报告:containerd – containerd-shim API暴露给主机网络容器 (CVE-2020-15257)](https://research.nccgroup.com/2020/11/30/technical-advisory-containerd-containerd-shim-api-exposed-to-host-network-containers-cve-2020-15257/) | | [CVE-2020-15157](https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c) | containerd v1.2.x可能在镜像拉取期间被强迫泄露凭证 | < 1.3.0 |

> Github公告:GHSA-742w-89gc-8m9c

> CVE-2020-15157 "ContainerDrip" 技术分析

| ## CRI-O | CVE | 标题 | 受影响版本 | 参考资料 | | --------------------------------------------------------------------------------------- | ------------------------------------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | [CVE-2022-0811](https://github.com/cri-o/cri-o/security/advisories/GHSA-6x2m-w449-qwx7) | 在Kubernetes集群上部署Pod的权限导致滥用`kernel.core_pattern`参数 | `>1.19.0` | [cr8escape:CrowdStrike发现的CRI-O容器引擎新漏洞 (CVE-2022-0811)](https://www.crowdstrike.com/blog/cr8escape-new-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811/) | ## Linux内核 | CVE | 标题 | 所需权能 | 参考资料 | | | ------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [CVE-2022-47939](https://nvd.nist.gov/vuln/detail/CVE-2022-47939) | fs/ksmbd/smb2pdu.c中的释放后使用漏洞 | `?` | > [Linux内核ksmbd释放后使用远程代码执行漏洞](https://www.zerodayinitiative.com/advisories/ZDI-22-1690/) | | | [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918) | nft\_set\_elem\_init中的类型混淆错误导致缓冲区溢出 | CAP\_NET\_ADMIN |

> CVE-2022-34918 Linux防火墙中的裂缝

> Github:randorisec/CVE-2022-34918-LPE-PoC

| | | [CVE-2022-32250](https://nvd.nist.gov/vuln/detail/CVE-2022-32250) | Netfilter子系统中的释放后使用漏洞 | `?` |

> 使用mqueue的Linux内核漏洞利用 (CVE-2022-32250)

> NETLINK定居者:利用nf\_tables中的有限UAF (CVE-2022-32250)

| | | [CVE-2022-29582](https://nvd.nist.gov/vuln/detail/CVE-2022-29582) | fs/io\_uring.c中由于io\_uring超时的竞争条件导致的释放后使用漏洞 | - |

> CVE-2022-29582:io\_uring漏洞

> Github:Ruia-ruia/CVE-2022-29582-Exploit

| | | [CVE-2022-27666](https://nvd.nist.gov/vuln/detail/CVE-2022-27666) | net/ipv4/esp4.c和net/ipv6/esp6.c中IPsec ESP转换代码中的堆缓冲区溢出漏洞,允许具有普通用户权限的本地攻击者覆盖内核堆对象 | `?` |

> CVE-2022-27666:利用Linux内核中的esp6模块

> Github:plummm/CVE-2022-27666

| | | [CVE-2022-2602](https://access.redhat.com/security/cve/cve-2022-2602) | 处理io\_uring请求时的释放后使用漏洞 | |

> DirtyCred重制版:如何将UAF转换为权限提升

> Github:LukeGix/CVE-2022-2602

| | | [CVE-2022-2588](https://access.redhat.com/security/cve/cve-2022-2588) | Linux内核中net/sched/cls\_route.c过滤器实现中route4\_change的释放后使用漏洞 | CAP\_NET\_ADMIN |

> DirtyCred:打开当前和未来容器逃逸的潘多拉盒子

> Markakd/CVE-2022-2588

| | | [CVE-2022-25636](https://nvd.nist.gov/vuln/detail/CVE-2022-25636) | 越界内存访问导致权限提升 | CAP\_NET\_ADMIN | [CVE-2022-25636的发现和利用](https://nickgregory.me/linux/security/2022/03/12/cve-2022-25636/) | | | [CVE-2022-1786](https://nvd.nist.gov/vuln/detail/CVE-2022-1786) | io\_uring子系统中用户设置具有多个任务在此环上完成提交的IORING\_SETUP\_IOPOLL环的方式中的释放后使用缺陷 | `?` | [CVE-2022-1786 黎明之旅](https://blog.kylebot.net/2022/10/16/CVE-2022-1786/) | | | [CVE-2022-1015](https://nvd.nist.gov/vuln/detail/CVE-2022-1015) | netfilter子系统中linux/net/netfilter/nf\_tables\_api.c的缺陷,允许本地用户导致越界写入问题 | CAP\_NET\_ADMIN |

> CVE-2022-1015:Netfilter中的验证缺陷导致本地权限提升

> 时局已变:nf\_tables中两个新Linux漏洞的分析

| | | [CVE-2022-0995](https://nvd.nist.gov/vuln/detail/CVE-2022-0995) | watch\_queue事件通知子系统中的越界内存写入缺陷,可以覆盖内核状态的部分内容 | `?` | [Github:Bonfee/CVE-2022-0995](https://github.com/Bonfee/CVE-2022-0995) | | | [CVE-2022-0847](https://nvd.nist.gov/vuln/detail/cve-2022-0847) | 允许覆盖任意只读文件中的数据,并通过将代码注入root进程导致权限提升的漏洞 | CAP\_DAC\_READ\_SEARCH |

> Dirty Pipe漏洞

> DirtyPipe (CVE-2022-0847) – 新的DirtyCoW?

> Github:greenhandatsjtu/CVE-2022-0847-Container-Escape

> Github:Al1ex/CVE-2022-0847

| | | [CVE-2022-0492](https://nvd.nist.gov/vuln/detail/CVE-2022-0492) | 缺少验证允许在没有管理权限的情况下为进程设置`release_agent`文件 |

CAP\_SYS\_ADMIN

禁用AppArmor/SELinux

禁用Seccomp

| [影响Cgroups的新Linux漏洞CVE-2022-0492:容器能逃逸吗?](https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/) | | | [CVE-2022-0185](https://access.redhat.com/security/cve/cve-2022-0185) | Linux内核文件系统上下文功能中legacy\_parse\_param函数的基于堆的缓冲区溢出缺陷 |

CAP\_SYS\_ADMIN

unshare(CLONE\_NEWNS | CLONE\_NEWUSER)

|

> CVE-2022-0185 - 在攻陷Ubuntu和逃逸Google的KCTF容器后获得31337美元奖金

> Linux内核中的CVE-2022-0185可能允许Kubernetes中的容器逃逸

> Github:Crusaders-of-Rust/CVE-2022-0185

| | [CVE-2021-22555](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22555) | Linux Netfilter中的堆越界写入 | CAP\_NET\_ADMIN | [CVE-2021-22555:将\x00\x00变成10000美元](https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html) | | | [CVE-2021-31440](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31440) | 处理eBPF程序中的缺陷导致权限提升 | CAP\_SYS\_MODULE | [CVE-2021-31440:LINUX内核EBPF验证器中的错误边界计算](https://www.zerodayinitiative.com/blog/2021/5/26/cve-2021-31440-an-incorrect-bounds-calculation-in-the-linux-kernel-ebpf-verifier) | | | [CVE-2020-8835](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8835) | bpf验证器(kernel/bpf/verifier.c)没有正确限制32位操作的寄存器边界,导致内核内存中的越界读取和写入 | CAP\_SYS\_ADMIN | [CVE-2020-8835:通过不当的EBPF程序验证进行LINUX内核权限提升](https://www.zerodayinitiative.com/blog/2020/4/8/cve-2020-8835-linux-kernel-privilege-escalation-via-improper-ebpf-program-verification) | | | [CVE-2017-7308](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7308) | net/packet/af\_packet.c中的packet\_set\_ring函数没有正确验证某些块大小数据,允许本地用户通过特殊构造的系统调用获得权限 | CAP\_NET\_RAW | [通过数据包套接字利用Linux内核](https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html) | | ## RunC | CVE | 标题 | 受影响版本 | 参考资料 | | ------------------------------------------------------------------------------------------------ | ---------------------------- | ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [CVE-2021-30465](https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r) | 挂载目标可以通过符号交换交换,导致在rootfs外部挂载 | <=1.0.0-rc94 |

> Github公告:GHSA-c3xm-pvg7-gh7r

> runc挂载目标可以通过符号交换交换,导致在rootfs外部挂载 (CVE-2021-30465)

| | [CVE-2019-19921](https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw) | procfs与共享卷挂载的竞争条件 | <1.0.0-rc10 | [Github公告:GHSA-fh74-hm69-rqjw](https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw) | | [CVE-2019-5736](https://nvd.nist.gov/vuln/detail/CVE-2019-5736) | 由于文件描述符处理不当导致覆盖主机runc二进制文件 | <=1.0-rc6 |

> CVE-2019-5736:从Docker和Kubernetes容器逃逸到主机root

> 通过runC突破Docker – 解释CVE-2019-5736

| ## 参考资料 * [容器安全网站:容器CVE列表](https://www.container-security.site/general_information/container_cve_list.html) * Zeronights 2021:Dmitriy Evdokimov – 容器逃逸Kubernetes版 * [视频](https://www.youtube.com/watch?v=JoLgVBTc73c) * [幻灯片](https://zeronights.ru/wp-content/uploads/2021/09/zn2021_container_escapes_kubernetes_edition_v4.pdf) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gitbook.cdxiaodong.life/rong-qi-an-quan/tao-yi-ji-shu/cve-list.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.