Lucene search

Ubuntu.comUB:CVE-2022-25328

HistoryFeb 25, 2022 - 12:00 a.m.

CVE-2022-25328

2022-02-2500:00:00

ubuntu.com

fscrypt

bash completion

privilege escalation

mountpoint paths

vulnerability

upgrade

unix

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS

Percentile

5.2%

JSON

The bash_completion script for fscrypt allows injection of commands via
crafted mountpoint paths, allowing privilege escalation under a specific
set of circumstances. A local user who has control over mountpoint paths
could potentially escalate their privileges if they create a malicious
mountpoint path and if the system administrator happens to be using the
fscrypt bash completion script to complete mountpoint paths. We recommend
upgrading to version 0.3.3 or above

References

github.com/google/fscrypt/commit/fa1a1fdbdea65829ce24a6b6f86ce2961e465b02

launchpad.net/bugs/cve/CVE-2022-25328

nvd.nist.gov/vuln/detail/CVE-2022-25328

security-tracker.debian.org/tracker/CVE-2022-25328

www.cve.org/CVERecord?id=CVE-2022-25328

www.openwall.com/lists/oss-security/2022/02/24/1

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS

Percentile

5.2%

JSON

Related for UB:CVE-2022-25328