SB20230816271 - Fedora 38 update for stargz-snapshotter

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20230816271

SB20230816271 - Fedora 38 update for stargz-snapshotter

Published: August 16, 2023

Security Bulletin ID SB20230816271
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2022-41717)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to excessive memory growth when handling HTTP/2 server requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.


2) Resource exhaustion (CVE-ID: CVE-2023-25153)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when importing an OCI image. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


3) Improper Privilege Management (CVE-ID: CVE-2023-25173)

The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to improper privilege management where supplementary groups are not set up properly inside a container. A local user can use supplementary group access to bypass primary group restrictions and compromise the container.


Remediation

Install update from vendor's website.

References