CVE-2018-1000400

Kubernetes CRI-O version prior to 1.9 contains a Privilege Context Switching Error (CWE-270) vulnerability in the handling of ambient capabilities that can result in containers running with elevated privileges, allowing users abilities they should not have. This attack appears to be exploitable via container execution. This vulnerability appears to have been fixed in 1.9.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 74%
VendorProductVersion
kubernetescri-o
𝑥
< 1.9.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
cri-o
noble
dne
jammy
dne
focal
dne
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/104262
https://github.com/kubernetes-incubator/cri-o/pull/1558/files
http://www.securityfocus.com/bid/104262
https://github.com/kubernetes-incubator/cri-o/pull/1558/files