7.5

CVE-2022-27650

EPSS 0.07%
Veröffentlicht 04.04.2022 20:15:10
Zuletzt bearbeitet 21.11.2024 06:56:06
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

A flaw was found in crun where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Crun Project ≫ Crun Version < 1.4.4

Fedoraproject ≫ Fedora Version34

Redhat ≫ Openshift Container Platform Version4.0

Redhat ≫ Enterprise Linux Version8.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.232

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	1.6	5.9	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6	6.8	6.4	AV:N/AC:M/Au:S/C:P/I:P/A:P

CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

https://bugzilla.redhat.com/show_bug.cgi?id=2066845

Third Party Advisory

Issue Tracking

https://github.com/containers/crun/commit/1aeeed2e4fdeffb4875c0d0b439915894594c8c6

Patch

Third Party Advisory

https://github.com/containers/crun/security/advisories/GHSA-wr4f-w546-m398

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYIGABCZ7ZHAG2XCOGITTQRJU2ASWMFA/

https://nvd.nist.gov/vuln/detail/CVE-2022-27650

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-27650

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-27650

EUVD