{"api_version":"1","generated_at":"2026-04-23T02:34:11+00:00","cve":"CVE-2022-2995","urls":{"html":"https://cve.report/CVE-2022-2995","api":"https://cve.report/api/cve/CVE-2022-2995.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-2995","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-2995"},"summary":{"title":"CVE-2022-2995","description":"Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2022-09-19 20:15:00","updated_at":"2022-09-21 18:05:00"},"problem_types":["CWE-732"],"metrics":[],"references":[{"url":"https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/","name":"https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/","refsource":"MISC","tags":[],"title":"Vulnerability in Linux containers – investigation and mitigation – Bentham’s Gaze","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/cri-o/cri-o/pull/6159","name":"https://github.com/cri-o/cri-o/pull/6159","refsource":"MISC","tags":[],"title":"server: add container GID to additional groups by haircommander · Pull Request #6159 · cri-o/cri-o · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-2995","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2995","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"2995","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"kubernetes","cpe5":"cri-o","cpe6":"1.25.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-2995","qid":"241070","title":"Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2022:7398)"},{"cve":"CVE-2022-2995","qid":"241558","title":"Red Hat OpenShift Container Platform 4.10 Security Update (RHSA-2023:3216)"},{"cve":"CVE-2022-2995","qid":"241722","title":"Red Hat OpenShift Container Platform 4.11 Security Update (RHSA-2023:3541)"},{"cve":"CVE-2022-2995","qid":"770172","title":"Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2022:7398)"},{"cve":"CVE-2022-2995","qid":"770187","title":"Red Hat OpenShift Container Platform 4.10 Security Update (RHSA-2023:3216)"},{"cve":"CVE-2022-2995","qid":"770194","title":"Red Hat OpenShift Container Platform 4.11 Security Update (RHSA-2023:3541)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2022-2995","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"cri-o","version":{"version_data":[{"version_value":"cri-o 1.25.0"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-284"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/","url":"https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/"},{"refsource":"MISC","name":"https://github.com/cri-o/cri-o/pull/6159","url":"https://github.com/cri-o/cri-o/pull/6159"}]},"description":{"description_data":[{"lang":"eng","value":"Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container."}]}},"nvd":{"publishedDate":"2022-09-19 20:15:00","lastModifiedDate":"2022-09-21 18:05:00","problem_types":["CWE-732"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.1,"baseSeverity":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:kubernetes:cri-o:1.25.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}