Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
{"id": "OSV:GHSA-PHJR-8J92-W5V7", "bulletinFamily": "software", "title": "CRI-O incorrect handling of supplementary groups may lead to sensitive information disclosure", "description": "Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.", "published": "2022-09-20T00:00:22", "modified": "2022-09-22T17:22:56", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2}, "href": "https://osv.dev/vulnerability/GHSA-phjr-8j92-w5v7", "reporter": "Google", "references": ["https://github.com/cri-o/cri-o", "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/", "https://github.com/cri-o/cri-o/commit/db3b399a8d7dabf7f073db73894bee98311d7909", "https://github.com/cri-o/cri-o/pull/6159", "https://nvd.nist.gov/vuln/detail/CVE-2022-2995"], "cvelist": ["CVE-2022-2995"], "immutableFields": [], "type": "osv", "lastseen": "2022-09-22T17:48:29", "edition": 1, "viewCount": 3, "enchantments": {"dependencies": {"references": [{"idList": ["RH:CVE-2022-2995"], "type": "redhatcve"}, {"idList": ["VERACODE:37197"], "type": "veracode"}, {"idList": ["CVE-2022-2995"], "type": "cve"}, {"idList": ["GHSA-PHJR-8J92-W5V7"], "type": "github"}]}, "score": {"value": 1.4, "vector": "NONE"}, "affected_software": {"major_version": [{"name": "github.com/cri-o/cri-o", "version": 1}]}, "vulnersScore": 1.4}, "_state": {"dependencies": 1663869511, "score": 1663869967, "affected_software_major_version": 1666703109}, "_internal": {"score_hash": "64ce6efccafa7767e40cba9b139fa615"}, "affectedSoftware": [{"name": "github.com/cri-o/cri-o", "operator": "lt", "version": "1.25.0"}]}
{"veracode": [{"lastseen": "2022-09-26T00:28:11", "description": "github.com/cri-o/cri-o is vulnerable to information disclosure.The vulnerability exists in `setupContainerUser` function in `container_create.go` due to incorrect handling of the supplementary groups which allows an attacker to gain permissions and execute a binary code via container. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-09-20T06:51:41", "type": "veracode", "title": "Information Disclosure", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-2995"], "modified": "2022-09-23T14:23:08", "id": "VERACODE:37185", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-37185/summary", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-22T07:08:44", "description": "github.com/cri-o/cri-o is vulnerable to improper access control. The vulnerability exists because of incorrect handling of the supplementary groups, which allows local authenticated attackers to access restricted information or possible unauthorized data modification.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-09-20T12:11:57", "type": "veracode", "title": "Improper Access Control", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-2995"], "modified": "2022-09-21T20:22:15", "id": "VERACODE:37197", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-37197/summary", "cvss": {"score": 0.0, "vector": "NONE"}}], "github": [{"lastseen": "2023-01-08T05:05:25", "description": "Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-09-20T00:00:22", "type": "github", "title": "CRI-O incorrect handling of supplementary groups may lead to sensitive information disclosure", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-2995"], "modified": "2023-01-08T05:03:02", "id": "GHSA-PHJR-8J92-W5V7", "href": "https://github.com/advisories/GHSA-phjr-8j92-w5v7", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2022-09-21T20:51:46", "description": "Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-09-19T20:15:00", "type": "cve", "title": "CVE-2022-2995", "cwe": ["CWE-732"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-2995"], "modified": "2022-09-21T18:05:00", "cpe": ["cpe:/a:kubernetes:cri-o:1.25.0"], "id": "CVE-2022-2995", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2995", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:a:kubernetes:cri-o:1.25.0:*:*:*:*:*:*:*"]}], "redhatcve": [{"lastseen": "2023-01-17T23:08:01", "description": "Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-08-26T05:40:12", "type": "redhatcve", "title": "CVE-2022-2995", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-2995"], "modified": "2023-01-17T22:03:09", "id": "RH:CVE-2022-2995", "href": "https://access.redhat.com/security/cve/cve-2022-2995", "cvss": {"score": 0.0, "vector": "NONE"}}], "redhat": [{"lastseen": "2023-01-25T14:43:43", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nThis advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.0. See the following advisory for the container images for this release:\n\nhttps://access.redhat.com/errata/RHSA-2022:7399\n\nSecurity Fix(es):\n\n* go-yaml: Denial of Service in go-yaml (CVE-2021-4235)\n* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)\n* kubernetes: Unauthorized read of Custom Resources (CVE-2022-3162)\n* kube-apiserver: Aggregated API server can cause clients to be redirected (SSRF) (CVE-2022-3172)\n* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\n* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)\n* golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)\n* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)\n* cri-o: incorrect handling of the supplementary groups (CVE-2022-2995)\n* OpenShift: Missing HTTP Strict Transport Security (CVE-2022-3259)\n* cri-o: Security regression of CVE-2022-27652 (CVE-2022-3466)\n* golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAll OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-01-17T14:27:50", "type": "redhat", "title": "(RHSA-2022:7398) Moderate: OpenShift Container Platform 4.12.0 packages and security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4235", "CVE-2022-27652", "CVE-2022-27664", "CVE-2022-2879", "CVE-2022-2880", "CVE-2022-2995", "CVE-2022-30631", "CVE-2022-3162", "CVE-2022-3172", "CVE-2022-32148", "CVE-2022-32189", "CVE-2022-32190", "CVE-2022-3259", "CVE-2022-3466", "CVE-2022-41715"], "modified": "2023-01-25T13:50:36", "id": "RHSA-2022:7398", "href": "https://access.redhat.com/errata/RHSA-2022:7398", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-17T20:11:07", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nThis advisory contains the container images for Red Hat OpenShift Container Platform 4.12.0. See the following advisory for the RPM packages for this release:\n\nhttps://access.redhat.com/errata/RHSA-2022:7398\n\nSpace precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:\n\nhttps://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html\n\nSecurity Fix(es):\n\n* golang: out-of-bounds read in golang.org/x/text/language leads to DoS\n(CVE-2021-38561)\n* golang: net/http: improper sanitization of Transfer-Encoding header\n(CVE-2022-1705)\n* golang: archive/tar: unbounded memory consumption when reading headers\n(CVE-2022-2879)\n* golang: net/http/httputil: ReverseProxy should not forward unparseable\nquery parameters (CVE-2022-2880)\n* prometheus/client_golang: Denial of service using\nInstrumentHandlerCounter (CVE-2022-21698)\n* golang: net/http/httputil: NewSingleHostReverseProxy - omit\nX-Forwarded-For not working (CVE-2022-32148)\n* golang: net/url: JoinPath does not strip relative path components in all\ncircumstances (CVE-2022-32190)\n* vault: insufficient certificate revocation list checking (CVE-2022-41316)\n* golang: regexp/syntax: limit memory used by parsing regexps\n(CVE-2022-41715)\n* openshift: etcd grpc-proxy vulnerable to The Birthday attack against 64-bit block cipher (CVE-2023-0296)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s)\nlisted in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-17T19:33:50", "type": "redhat", "title": "(RHSA-2022:7399) Moderate: OpenShift Container Platform 4.12.0 bug fix and security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22570", "CVE-2021-38561", "CVE-2021-4235", "CVE-2022-1705", "CVE-2022-21698", "CVE-2022-24302", "CVE-2022-27664", "CVE-2022-2879", "CVE-2022-2880", "CVE-2022-2995", "CVE-2022-30631", "CVE-2022-3162", "CVE-2022-3172", "CVE-2022-32148", "CVE-2022-32189", "CVE-2022-32190", "CVE-2022-3259", "CVE-2022-3466", "CVE-2022-41316", "CVE-2022-41715", "CVE-2022-42010", "CVE-2022-42011", "CVE-2022-42012", "CVE-2022-42898", "CVE-2023-0296"], "modified": "2023-01-17T19:34:38", "id": "RHSA-2022:7399", "href": "https://access.redhat.com/errata/RHSA-2022:7399", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}
CRI-O incorrect handling of supplementary groups may lead to sensitive information disclosure
