7.8
CVE-2022-0358
- EPSS 0.02%
- Published 29.08.2022 15:15:09
- Last modified 21.11.2024 06:38:27
- Source secalert@redhat.com
- Teams watchlist Login
- Open Login
A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system.
Data is provided by the National Vulnerability Database (NVD)
Redhat ≫ Enterprise Linux Version8.0 SwEditionadvanced_virtualization
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.02% | 0.039 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-273 Improper Check for Dropped Privileges
The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.