CVE-2023-6476: Uncontrolled Resource Consumption
A flaw was found in CRI-O that involves an experimental annotation leading to a container being unconfined. This may allow a pod to specify and get any amount of memory/cpu, circumventing the kubernetes scheduler and potentially resulting in a denial of service in the node.
References
- access.redhat.com/security/cve/CVE-2023-6476
- bugzilla.redhat.com/show_bug.cgi?id=2253994
- github.com/advisories/GHSA-p4rx-7wvg-fwrc
- github.com/cri-o/cri-o/blob/main/pkg/config/workloads.go
- github.com/cri-o/cri-o/commit/75effcb1a25851a736e82dba1f7d8cee93ee159e
- github.com/cri-o/cri-o/pull/4479
- github.com/cri-o/cri-o/security/advisories/GHSA-p4rx-7wvg-fwrc
- nvd.nist.gov/vuln/detail/CVE-2023-6476
Code Behaviors & Features
Detect and mitigate CVE-2023-6476 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →