7.5

CVE-2022-27650

EPSS 0.07%
Published 04.04.2022 20:15:10
Last modified 21.11.2024 06:56:06
Source secalert@redhat.com
Teams watchlist Login
Open Login

A flaw was found in crun where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Crun Project ≫ Crun Version < 1.4.4

Fedoraproject ≫ Fedora Version34

Redhat ≫ Openshift Container Platform Version4.0

Redhat ≫ Enterprise Linux Version8.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.07%	0.232

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	1.6	5.9	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6	6.8	6.4	AV:N/AC:M/Au:S/C:P/I:P/A:P

CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

https://bugzilla.redhat.com/show_bug.cgi?id=2066845

Third Party Advisory

Issue Tracking

https://github.com/containers/crun/commit/1aeeed2e4fdeffb4875c0d0b439915894594c8c6

Patch

Third Party Advisory

https://github.com/containers/crun/security/advisories/GHSA-wr4f-w546-m398

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYIGABCZ7ZHAG2XCOGITTQRJU2ASWMFA/

https://nvd.nist.gov/vuln/detail/CVE-2022-27650

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-27650

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-27650

EUVD