CVE-2023-6476

Summary

A flaw was found in CRI-O that involves an experimental annotation leading to a container being unconfined. This may allow a pod to specify and get any amount of memory/cpu, circumventing the kubernetes scheduler and potentially resulting in a denial of service in the node.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat OpenShift Container Platform 4.130:1.26.4-6.1.rhaos4.13.git9eb9cf3.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.140:1.27.2-7.rhaos4.14.git1cc7a64.el9 < *unaffected

Weaknesses

  • CWE-770: Allocation of Resources Without Limits or Throttling

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References