CVE-2022-27650Incorrect Default Permissions in Project Crun

CWE-276Incorrect Default Permissions5 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 73.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Crun Project CrunFedoraproject FedoraRedhat Enterprise Linux+1 more
Timeline
PublishedApr 4

Description

A flaw was found in crun where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages3 packages

NVDcrun_project/crun< 1.4.4
Debiancrun_project/crun< 0.17+dfsg-1+deb11u1+3
CVEListV5crun_project/crunAffects crun v1.4.3 and prior, Fixed in – v1.4.4

Also affects: Enterprise Linux 8.0, Fedora 34, Openshift Container Platform 4.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
CVEList
CVE-2022-27650: A flaw was found in crun where containers were incorrectly started with non-empty default permissions2022-04-04
OSV
CVE-2022-27650: A flaw was found in crun where containers were incorrectly started with non-empty default permissions2022-04-04

📋Vendor Advisories

2
Red Hat
crun: Default inheritable capabilities for linux container should be empty2022-03-30
Debian
CVE-2022-27650: crun - A flaw was found in crun where containers were incorrectly started with non-empt...2022
CVE-2022-27650 — Incorrect Default Permissions | cvebase