CVE-2022-2990

Aliases:GHSA-fjm8-m7m6-2fjpGO-2022-1008

Advisory lineage Upstream: 0 Downstream: 14

Downstream

DEBIAN-CVE-2022-2990 MGASA-2023-0213 OPENSUSE-SU-2024:12289-1 RHSA-2022:7457 RHSA-2022:7822 RHSA-2022:8008

Modified

Published: 13 Sept 2022, 13:44

Last modified:03 Aug 2024, 00:53

Vulnerability Summary

Overall Risk (default)

medium

38/100

CVSS Score

7.1 HIGH

v3.1 (nvd)

EPSS Score

0.09% LOW

0% probability -0.03%

KEV

Not listed

Ransomware

No reports

Public exploits

2 found

Dark Web

Not detected

Timeline

13 Sept 2022, 13:44

Published

Vulnerability first disclosed

03 Aug 2024, 00:53

Last Modified

Vulnerability information updated

Description

An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.

CVSS Metrics

v3.1•HIGH•Score: 7.1CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Trends

Current EPSS score: 0.09%• Percentile: 25%

Techniques & Countermeasures

CWE-863•Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-842•Placement of User into Incorrect Group
The product or the administrator places a user into an incorrect group.

Affected Systems

buildah_project•buildah
< 1.27.1
github.com/containers•buildah
< 1.27.1
redhat•enterprise_linux
7.0 | 8.0 | 9.0
redhat•openshift_container_platform
4.0