7.8

CVE-2022-0358

A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
QemuQemu Version < 6.2.0-7
RedhatEnterprise Linux Version8.0 SwEditionadvanced_virtualization
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.33% 0.25
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-273 Improper Check for Dropped Privileges

The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.

https://access.redhat.com/security/cve/CVE-2022-0358
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2044863
Patch
Third Party Advisory
Issue Tracking
https://gitlab.com/qemu-project/qemu/-/commit/449e8171f96a6a944d1f3b7d3627ae059eae21ca
Patch
Third Party Advisory
https://security.netapp.com/advisory/ntap-20221007-0008/
Third Party Advisory