CVE-2022-1706 — Incorrect Authorization in Coreos Ignition
Severity
6.5MEDIUMNVD
EPSS
0.6%
top 30.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 17
Latest updateAug 21
Description
A vulnerability was found in Ignition where ignition configs are accessible from unprivileged containers in VMs running on VMware products. This issue is only relevant in user environments where the Ignition config contains secrets. The highest threat from this vulnerability is to data confidentiality. Possible workaround is to not put secrets in the Ignition config.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6
Affected Packages5 packages
Also affects: Fedora 34, 35, 36, Enterprise Linux 9.0, Openshift Container Platform 4.0
Patches
🔴Vulnerability Details
5OSV▶
Ignition config accessible to unprivileged software on VMware in github.com/coreos/ignition↗2024-08-21
OSV▶
CVE-2022-1706: A vulnerability was found in Ignition where ignition configs are accessible from unprivileged containers in VMs running on VMware products↗2022-05-17
CVEList▶
CVE-2022-1706: A vulnerability was found in Ignition where ignition configs are accessible from unprivileged containers in VMs running on VMware products↗2022-05-17