Lucene search

[email protected]CVE-2022-2990

HistorySep 13, 2022 - 2:15 p.m.

CVE-2022-2990

2022-09-1314:15:00

CWE-842

[email protected]

web.nvd.nist.gov

261

cve-2022-2990

buildah

container engine

sensitive information disclosure

data modification

supplementary groups

access permissions

7.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

6.8 Medium

AI Score

Confidence

High

3.2 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:S/C:P/I:P/A:N

0.0005 Low

EPSS

Percentile

17.4%

JSON

An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.

CPENameOperatorVersion
buildah_project:buildahbuildah project buildahlt1.27.1
redhat:enterprise_linuxredhat enterprise linuxeq7.0
redhat:enterprise_linuxredhat enterprise linuxeq8.0
redhat:openshift_container_platformredhat openshift container platformeq4.0
redhat:enterprise_linuxredhat enterprise linuxeq9.0

CPE	Name	Operator	Version
buildah_project:buildah	buildah project buildah	lt	1.27.1
redhat:enterprise_linux	redhat enterprise linux	eq	7.0
redhat:enterprise_linux	redhat enterprise linux	eq	8.0
redhat:openshift_container_platform	redhat openshift container platform	eq	4.0
redhat:enterprise_linux	redhat enterprise linux	eq	9.0