Google Llc Fscrypt vulnerabilities

CVE-2022-25328 [MEDIUM] CWE-78 CVE-2022-25328: The bash_completion script for fscrypt allows injection of commands via crafted mountpoint paths, al The bash_completion script for fscrypt allows injection of commands via crafted mountpoint paths, allowing privilege escalation under a specific set of circumstances. A local user who has control over mountpoint paths could potentially escalate their privileges if they create a malicious mountpoint path and if the system administrator happens to be u

CVE-2022-25326 [MEDIUM] CWE-400 CVE-2022-25326: fscrypt through v0.3.2 creates a world-writable directory by default when setting up a filesystem, a fscrypt through v0.3.2 creates a world-writable directory by default when setting up a filesystem, allowing unprivileged users to exhaust filesystem space. We recommend upgrading to fscrypt 0.3.3 or above and adjusting the permissions on existing fscrypt metadata directories where applicable.

CVE-2022-25327 [MEDIUM] CWE-255 CVE-2022-25327: The PAM module for fscrypt doesn't adequately validate fscrypt metadata files, allowing users to cre The PAM module for fscrypt doesn't adequately validate fscrypt metadata files, allowing users to create malicious metadata files that prevent other users from logging in. A local user can cause a denial of service by creating a fscrypt metadata file that prevents other users from logging into the system. We recommend upgrading to version 0.3.3 or ab