CVE-2022-1708
HIGHCRI-O <1.19.7 and >=1.24.0 <1.24.1 - Denial of Service via ExecSync Output Handling
Title source: llmDescription
A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.
References (3)
Core 3
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=2085361
Exploit, Third Party Advisory x_refsource_misc
https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j
Patch x_refsource_misc
https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544
Scores
CVSS v3
7.5
EPSS
0.0048
EPSS Percentile
65.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-770
CWE-400
Status
published
Products (11)
cri-o/cri-o
1.24.0 - 1.24.1Go
fedoraproject/fedora
36
kubernetes/cri-o
1.24.0
kubernetes/cri-o
< 1.19.7
redhat/enterprise_linux
7.0
redhat/enterprise_linux
8.0
redhat/enterprise_linux
9.0
redhat/openshift_container_platform
3.11
redhat/openshift_container_platform
4.0
redhat/openshift_container_platform
4.9
... and 1 more
Published
Jun 07, 2022
Tracked Since
Feb 18, 2026