CVE-2022-2990 — Placement of User into Incorrect Group in Containers Buildah
Severity
7.1HIGHNVD
EPSS
0.1%
top 74.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedSep 13
Latest updateSep 21
Description
An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.2
Affected Packages3 packages
Also affects: Openshift Container Platform 4.0, Enterprise Linux 7.0, 8.0, 9.0
Patches
🔴Vulnerability Details
5OSV▶
Buildah's incorrect handling of the supplementary groups may lead to data disclosure, modification↗2022-09-14
GHSA▶
Buildah's incorrect handling of the supplementary groups may lead to data disclosure, modification↗2022-09-14
OSV▶
CVE-2022-2990: An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data↗2022-09-13
CVEList▶
CVE-2022-2990: An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data↗2022-09-13
📋Vendor Advisories
3Microsoft▶
An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to t↗2022-09-13
Debian▶
CVE-2022-2990: golang-github-containers-buildah - An incorrect handling of the supplementary groups in the Buildah container engin...↗2022