{"api_version":"1","generated_at":"2026-04-22T23:31:11+00:00","cve":"CVE-2022-2990","urls":{"html":"https://cve.report/CVE-2022-2990","api":"https://cve.report/api/cve/CVE-2022-2990.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-2990","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-2990"},"summary":{"title":"CVE-2022-2990","description":"An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2022-09-13 14:15:00","updated_at":"2023-02-12 22:15:00"},"problem_types":["CWE-842"],"metrics":[],"references":[{"url":"https://access.redhat.com/errata/RHSA-2022:7457","name":"https://access.redhat.com/errata/RHSA-2022:7457","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/","name":"https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/","refsource":"MISC","tags":[],"title":"Vulnerability in Linux containers – investigation and mitigation – Bentham’s Gaze","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2121453","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2121453","refsource":"MISC","tags":[],"title":"2121453 – (CVE-2022-2990) CVE-2022-2990 buildah: possible information disclosure and modification","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://access.redhat.com/errata/RHSA-2022:8431","name":"https://access.redhat.com/errata/RHSA-2022:8431","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2022:7822","name":"https://access.redhat.com/errata/RHSA-2022:7822","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/security/cve/CVE-2022-2990","name":"https://access.redhat.com/security/cve/CVE-2022-2990","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://access.redhat.com/errata/RHSA-2022:8008","name":"https://access.redhat.com/errata/RHSA-2022:8008","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-2990","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2990","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"2990","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"buildah_project","cpe5":"buildah","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"2990","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"2990","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"2990","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"2990","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openshift_container_platform","cpe6":"4.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-2990","qid":"160233","title":"Oracle Enterprise Linux Security Update for container-tools:ol8 (ELSA-2022-7457)"},{"cve":"CVE-2022-2990","qid":"160285","title":"Oracle Enterprise Linux Security Update for buildah (ELSA-2022-8008)"},{"cve":"CVE-2022-2990","qid":"160318","title":"Oracle Enterprise Linux Security Update for container-tools:ol8 (ELSA-2022-7822)"},{"cve":"CVE-2022-2990","qid":"160323","title":"Oracle Enterprise Linux Security Update for podman (ELSA-2022-8431)"},{"cve":"CVE-2022-2990","qid":"183653","title":"Debian Security Update for golang-github-containers-buildah (CVE-2022-2990)"},{"cve":"CVE-2022-2990","qid":"240829","title":"Red Hat Update for container-tools:rhel8 security (RHSA-2022:7457)"},{"cve":"CVE-2022-2990","qid":"240848","title":"Red Hat Update for container-tools:rhel8 security (RHSA-2022:7822)"},{"cve":"CVE-2022-2990","qid":"240894","title":"Red Hat Update for buildah (RHSA-2022:8008)"},{"cve":"CVE-2022-2990","qid":"240912","title":"Red Hat Update for podman security (RHSA-2022:8431)"},{"cve":"CVE-2022-2990","qid":"241546","title":"Red Hat OpenShift Container Platform 4.13 Security Update (RHSA-2023:1325)"},{"cve":"CVE-2022-2990","qid":"502821","title":"Alpine Linux Security Update for buildah"},{"cve":"CVE-2022-2990","qid":"752726","title":"SUSE Enterprise Linux Security Update for buildah (SUSE-SU-2022:3766-1)"},{"cve":"CVE-2022-2990","qid":"752967","title":"SUSE Enterprise Linux Security Update for buildah (SUSE-SU-2022:4350-1)"},{"cve":"CVE-2022-2990","qid":"752975","title":"SUSE Enterprise Linux Security Update for buildah (SUSE-SU-2022:4349-1)"},{"cve":"CVE-2022-2990","qid":"753242","title":"SUSE Enterprise Linux Security Update for buildah (SUSE-SU-2022:3655-1)"},{"cve":"CVE-2022-2990","qid":"755103","title":"SUSE Enterprise Linux Security Update for buildah (SUSE-SU-2023:4099-1)"},{"cve":"CVE-2022-2990","qid":"770186","title":"Red Hat OpenShift Container Platform 4.13 Security Update (RHSA-2023:1325)"},{"cve":"CVE-2022-2990","qid":"903948","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for buildah (10960)"},{"cve":"CVE-2022-2990","qid":"904605","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for buildah (11514)"},{"cve":"CVE-2022-2990","qid":"907337","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for buildah (10960-1)"},{"cve":"CVE-2022-2990","qid":"940780","title":"AlmaLinux Security Update for container-tools:rhel8 (ALSA-2022:7822)"},{"cve":"CVE-2022-2990","qid":"940785","title":"AlmaLinux Security Update for podman (ALSA-2022:8431)"},{"cve":"CVE-2022-2990","qid":"940827","title":"AlmaLinux Security Update for buildah (ALSA-2022:8008)"},{"cve":"CVE-2022-2990","qid":"960172","title":"Rocky Linux Security Update for container-tools:rhel8 (RLSA-2022:7457)"},{"cve":"CVE-2022-2990","qid":"960180","title":"Rocky Linux Security Update for container-tools:rhel8 (RLSA-2022:7822)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2022-2990","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-842","cweId":"CWE-842"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"buildah","version":{"version_data":[{"version_affected":"=","version_value":"no fixed version known"}]}}]}}]}},"references":{"reference_data":[{"url":"https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/","refsource":"MISC","name":"https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2121453","refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2121453"}]}},"nvd":{"publishedDate":"2022-09-13 14:15:00","lastModifiedDate":"2023-02-12 22:15:00","problem_types":["CWE-842"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.1,"baseSeverity":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*","versionEndExcluding":"1.27.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}