Security issues detected in gitlab-runner binary for dependency github.com/containerd/containerd
I got the following security issues via trivy
in our gitlab-runner server:
usr/bin/gitlab-runner (gobinary)
================================
Total: 2 (HIGH: 2, CRITICAL: 0)
+----------------------------------+------------------+----------+-------------------+-----------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------------------------------+------------------+----------+-------------------+-----------------------+---------------------------------------+
| github.com/containerd/containerd | CVE-2021-41103 | HIGH | v1.4.3 | v1.4.11, v1.5.7 | containerd: insufficiently |
| | | | | | restricted permissions on container |
| | | | | | root and plugin directories |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-41103 |
+ +------------------+ + +-----------------------+---------------------------------------+
| | CVE-2022-23648 | | | 1.4.13, 1.5.10, 1.6.1 | containerd: insecure |
| | | | | | handling of image volumes |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-23648 |
+----------------------------------+------------------+----------+-------------------+-----------------------+---------------------------------------+
Tested in Ubuntu 18.04.6 LTS
for the following runner version:
Version: 14.9.1
Git revision: f188edd7
Git branch: 14-9-stable
GO version: go1.17.7
Built: 2022-03-22T20:45:44+0000
OS/Arch: linux/amd64