CVE-2022-4318

CWE-538 CWE-9137 documents6 sources

Severity

7.8HIGH

EPSS

0.0%

top 87.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Cri-o/cri-o Fedoraproject Extra Packages FOR Enterprise Linux Fedoraproject Fedora +4 more

Timeline

PublishedSep 25

Latest updateAug 21

Description

A vulnerability was found in cri-o. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶Gogithub.com/cri-o/cri-o< 1.26.0

▶NVDfedoraproject/extra_packages8.0

▶NVDredhat/openshift_container_platform_ibm_z_systems4.11, 4.12+1

Also affects: Fedora 36, 37, Openshift Container Platform 4.11, 4.12

🔴Vulnerability Details

OSV

CRI-O vulnerable to /etc/passwd tampering resulting in Privilege Escalation in github.com/cri-o/cri-o↗2024-08-21

▶

CVEList

Cri-o: /etc/passwd tampering privesc↗2023-09-25

▶

OSV

CRI-O vulnerable to /etc/passwd tampering resulting in Privilege Escalation↗2022-12-29

▶

GHSA

CRI-O vulnerable to /etc/passwd tampering resulting in Privilege Escalation↗2022-12-29

▶

📋Vendor Advisories

Microsoft

Cri-o: /etc/passwd tampering privesc↗2023-09-12

▶

Red Hat

cri-o: /etc/passwd tampering privesc↗2022-12-12

▶