CVE-2022-27652

CWE-276 — Incorrect Default Permissions7 documents5 sources

Severity

5.3MEDIUM

EPSS

0.0%

top 94.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Cri-o/cri-o Mobyproject Moby Fedoraproject Fedora +1 more

Timeline

PublishedApr 18

Latest updateAug 21

Description

A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 1.8 | Impact: 3.4

Affected Packages3 packages

▶NVDmobyproject/moby< 20.10.14

▶Gogithub.com/cri-o/cri-o< 1.24.0

▶CVEListV5cri-oAffects all versions.

Also affects: Fedora 35, Openshift Container Platform 3.11, 4.0

🔴Vulnerability Details

OSV

Incorrect Default Permissions in CRI-O in github.com/cri-o/cri-o↗2024-08-21

▶

OSV

Incorrect Default Permissions in CRI-O↗2022-04-22

▶

GHSA

Incorrect Default Permissions in CRI-O↗2022-04-22

▶

CVEList

CVE-2022-27652: A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions↗2022-04-18

▶

📋Vendor Advisories

Red Hat

cri-o: Security regression of CVE-2022-27652↗2022-10-12

▶

Red Hat

cri-o: Default inheritable capabilities for linux container should be empty↗2022-03-30

▶