CVE-2022-2989 — Placement of User into Incorrect Group in Containers Podman V3
Severity
7.1HIGHNVD
EPSS
0.0%
top 85.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedSep 13
Latest updateAug 16
Description
An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.2
Affected Packages4 packages
Also affects: Openshift Container Platform 3.11, 4.0, Enterprise Linux 7.0, 8.0, 9.0
Patches
🔴Vulnerability Details
4GHSA▶
Podman's incorrect handling of the supplementary groups may lead to data disclosure, modification↗2022-09-14
OSV▶
Podman's incorrect handling of the supplementary groups may lead to data disclosure, modification↗2022-09-14
OSV▶
CVE-2022-2989: An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data m↗2022-09-13
CVEList▶
CVE-2022-2989: An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data m↗2022-09-13
📋Vendor Advisories
4Microsoft▶
An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to th↗2022-09-13
Debian▶
CVE-2022-2989: libpod - An incorrect handling of the supplementary groups in the Podman container engine...↗2022