7.8

CVE-2022-31214

EPSS 0.07%
Published 09.06.2022 16:15:08
Last modified 21.11.2024 07:04:08
Source cve@mitre.org
Teams watchlist Login
Open Login

A Privilege Context Switching issue was discovered in join.c in Firejail 0.9.68. By crafting a bogus Firejail container that is accepted by the Firejail setuid-root program as a join target, a local attacker can enter an environment in which the Linux user namespace is still the initial user namespace, the NO_NEW_PRIVS prctl is not activated, and the entered mount namespace is under the attacker's control. In this way, the filesystem layout can be adjusted to gain root privileges through execution of available setuid-root binaries such as su or sudo.

Affected products Warnungen 0 Metrics 3 CWE 1 References 11

Data is provided by the National Vulnerability Database (NVD)

Firejail Project ≫ Firejail Version0.9.68

Fedoraproject ≫ Fedora Version35

Fedoraproject ≫ Fedora Version36

Fedoraproject ≫ Fedora Version37

Debian ≫ Debian Linux Version9.0

Debian ≫ Debian Linux Version10.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.07%	0.223

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.2	3.9	10	AV:L/AC:L/Au:N/C:C/I:C/A:C

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

https://firejail.wordpress.com/download-2/release-notes/

Third Party Advisory

Release Notes

https://lists.debian.org/debian-lts-announce/2022/06/msg00023.html

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6RZOTZ36RUSL6DOVHITY25ZYKWTG5HN3/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KUZZ5M6LIBYRKTKGROXC47TDC3FRTGJF/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIBEBE3KFINMGJATBQQS7D2VQQ62ZVMF/

https://security.gentoo.org/glsa/202305-19

https://www.debian.org/security/2022/dsa-5167

Third Party Advisory

https://www.openwall.com/lists/oss-security/2022/06/08/10

Patch

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2022-31214

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-31214

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-31214

EUVD