CVE-2022-2995
Summary
| CVE | CVE-2022-2995 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2022-09-19 20:15:00 UTC |
|---|
| Updated | 2022-09-21 18:05:00 UTC |
|---|
| Description | Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container. |
|---|
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|
| Application |
Kubernetes |
Cri-o |
1.25.0 |
All |
All |
All |
References
| Reference | Source | Link | Tags |
|---|
| Vulnerability in Linux containers – investigation and mitigation – Bentham’s Gaze |
MISC |
www.benthamsgaze.org |
|
| server: add container GID to additional groups by haircommander · Pull Request #6159 · cri-o/cri-o · GitHub |
MISC |
github.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 241070 Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2022:7398)
- 241558 Red Hat OpenShift Container Platform 4.10 Security Update (RHSA-2023:3216)
- 241722 Red Hat OpenShift Container Platform 4.11 Security Update (RHSA-2023:3541)
- 770172 Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2022:7398)
- 770187 Red Hat OpenShift Container Platform 4.10 Security Update (RHSA-2023:3216)
- 770194 Red Hat OpenShift Container Platform 4.11 Security Update (RHSA-2023:3541)
