Upstream information
CVE-2022-27650 at MITRE
Description
A flaw was found in crun where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having important severity.
CVSS v2 Scores
| National Vulnerability Database |
Base Score | 6 |
Vector | AV:N/AC:M/Au:S/C:P/I:P/A:P |
Access Vector | Network |
Access Complexity | Medium |
Authentication | Single |
Confidentiality Impact | Partial |
Integrity Impact | Partial |
Availability Impact | Partial |
CVSS v3 Scores
| National Vulnerability Database |
Base Score | 7.5 |
Vector | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Attack Vector | Network |
Attack Complexity | High |
Privileges Required | Low |
User Interaction | None |
Scope | Unchanged |
Confidentiality Impact | High |
Integrity Impact | High |
Availability Impact | High |
CVSSv3 Version | 3.1 |
SUSE Bugzilla entry:
1197871 [NEW]
No SUSE Security Announcements cross referenced.
List of released packages
Product(s) | Fixed package version(s) | References |
SUSE Liberty Linux 8 | aardvark-dns >= 1.0.1-27.module+el8.6.0+14673+621cb8be
buildah >= 1.24.2-4.module+el8.6.0+14673+621cb8be
buildah-tests >= 1.24.2-4.module+el8.6.0+14673+621cb8be
cockpit-podman >= 43-1.module+el8.6.0+14673+621cb8be
conmon >= 2.1.0-1.module+el8.6.0+14673+621cb8be
container-selinux >= 2.179.1-1.module+el8.6.0+14673+621cb8be
containernetworking-plugins >= 1.0.1-2.module+el8.6.0+14673+621cb8be
containers-common >= 1.2.4-1.module+el8.6.0+14694+4f5132e0
crit >= 3.15-3.module+el8.6.0+14673+621cb8be
criu >= 3.15-3.module+el8.6.0+14673+621cb8be
criu-devel >= 3.15-3.module+el8.6.0+14673+621cb8be
criu-libs >= 3.15-3.module+el8.6.0+14673+621cb8be
crun >= 1.4.4-1.module+el8.6.0+14673+621cb8be
fuse-overlayfs >= 1.8.2-1.module+el8.6.0+14673+621cb8be
libslirp >= 4.4.0-1.module+el8.6.0+14673+621cb8be
libslirp-devel >= 4.4.0-1.module+el8.6.0+14673+621cb8be
netavark >= 1.0.1-27.module+el8.6.0+14673+621cb8be
oci-seccomp-bpf-hook >= 1.2.3-3.module+el8.6.0+14673+621cb8be
podman >= 4.0.2-6.module+el8.6.0+14673+621cb8be
podman-catatonit >= 4.0.2-6.module+el8.6.0+14673+621cb8be
podman-docker >= 4.0.2-6.module+el8.6.0+14673+621cb8be
podman-gvproxy >= 4.0.2-6.module+el8.6.0+14673+621cb8be
podman-plugins >= 4.0.2-6.module+el8.6.0+14673+621cb8be
podman-remote >= 4.0.2-6.module+el8.6.0+14673+621cb8be
podman-tests >= 4.0.2-6.module+el8.6.0+14673+621cb8be
python3-criu >= 3.15-3.module+el8.6.0+14673+621cb8be
python3-podman >= 4.0.0-1.module+el8.6.0+14673+621cb8be
runc >= 1.0.3-2.module+el8.6.0+14673+621cb8be
skopeo >= 1.6.1-2.module+el8.6.0+14673+621cb8be
skopeo-tests >= 1.6.1-2.module+el8.6.0+14673+621cb8be
slirp4netns >= 1.1.8-2.module+el8.6.0+14673+621cb8be
toolbox >= 0.0.99.3-1.module+el8.6.0+14694+4f5132e0
toolbox-tests >= 0.0.99.3-1.module+el8.6.0+14694+4f5132e0
udica >= 0.2.6-2.module+el8.6.0+14673+621cb8be
| Patchnames: RHSA-2022:1762 RHSA-2022:1793 |
SUSE Linux Micro 6.0 | | Patchnames: SUSE Linux Micro 6.0 GA crun-1.14-1.18 |
SUSE Linux Micro 6.1 | crun >= 1.15-slfo.1.1_1.3
| Patchnames: SUSE Linux Micro 6.1 GA crun-1.15-slfo.1.1_1.3 |
openSUSE Tumbleweed | | Patchnames: openSUSE-Tumbleweed-2024-11989 |
SUSE Timeline for this CVE
CVE page created: Wed Mar 30 18:00:33 2022
CVE page last modified: Tue Dec 17 18:04:22 2024