CVE-2022-25328

CWE-78 — OS Command Injection7 documents5 sources

Severity

7.3HIGH

EPSS

0.0%

top 90.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Google/fscrypt Google Fscrypt Google LLC Fscrypt

Timeline

PublishedFeb 25

Latest updateMar 1

Description

The bash_completion script for fscrypt allows injection of commands via crafted mountpoint paths, allowing privilege escalation under a specific set of circumstances. A local user who has control over mountpoint paths could potentially escalate their privileges if they create a malicious mountpoint path and if the system administrator happens to be using the fscrypt bash completion script to complete mountpoint paths. We recommend upgrading to version 0.3.3 or above

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:HExploitability: 1.3 | Impact: 3.6

Affected Packages4 packages

▶NVDgoogle/fscrypt< 0.3.3

▶Gogithub.com/google/fscrypt< 0.3.3

▶Debianfscrypt< 0.3.3-1+2

▶CVEListV5google_llc/fscryptunspecified — 0.3.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Possible privilege escalation via bash completion script↗2022-03-01

▶

OSV

Command injection in github.com/google/fscrypt↗2022-02-26

▶

GHSA

Command injection in github.com/google/fscrypt↗2022-02-26

▶

OSV

CVE-2022-25328: The bash_completion script for fscrypt allows injection of commands via crafted mountpoint paths, allowing privilege escalation under a specific set o↗2022-02-25

▶

CVEList

Privilege escalation through command injection in fscrypt↗2022-02-25

▶

📋Vendor Advisories

Debian

CVE-2022-25328: fscrypt - The bash_completion script for fscrypt allows injection of commands via crafted ...↗2022

▶