CVE-2022-27650

high

Description

A flaw was found in crun where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.

References

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYIGABCZ7ZHAG2XCOGITTQRJU2ASWMFA/

https://github.com/containers/crun/security/advisories/GHSA-wr4f-w546-m398

https://github.com/containers/crun/commit/1aeeed2e4fdeffb4875c0d0b439915894594c8c6

https://bugzilla.redhat.com/show_bug.cgi?id=2066845

Details

Source: Mitre, NVD

Published: 2022-04-04

Updated: 2023-11-07

Risk Information

CVSS v2

Base Score: 6

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High