CVE-2022-2995Improper Access Control in Cri-o Cri-o

CWE-284Improper Access ControlCWE-732Incorrect Permission Assignment8 documents6 sources
Severity
7.1HIGHNVD
EPSS
0.0%
top 90.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Cri-o Cri-oKubernetes Cri-o
Timeline
PublishedSep 19
Latest updateMay 2

Description

Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.2

Affected Packages3 packages

CVEListV5kubernetes/cri-ocri-o 1.25.0
NVDkubernetes/cri-o1.25.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
CRI-O incorrect handling of supplementary groups may lead to sensitive information disclosure in github.com/cri-o/cri-o2024-08-21
GHSA
CRI-O incorrect handling of supplementary groups may lead to sensitive information disclosure2022-09-20
OSV
CRI-O incorrect handling of supplementary groups may lead to sensitive information disclosure2022-09-20
CVEList
CVE-2022-2995: Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modificat2022-09-19

📋Vendor Advisories

3
Red Hat
kernel: bnxt_en: Avoid order-5 memory allocation for TPA data2025-05-02
Microsoft
Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affect2022-09-13
Red Hat
cri-o: incorrect handling of the supplementary groups2022-08-25
CVE-2022-2995 — Improper Access Control in Cri-o Cri-o | cvebase