Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
vulnrichmentRedhatVULNRICHMENT:CVE-2022-3466
HistorySep 15, 2023 - 1:18 p.m.

CVE-2022-3466 Cri-o: security regression of cve-2022-27652

2023-09-1513:18:27
CWE-276
redhat
github.com
6
cve-2022-3466
cri-o
security regression fix
red hat openshift container platform 4.9.48
4.10.31
4.11.6
rhba-2022:6316
rhba-2022:6257
rhba-2022:6658
inheritable file capabilities
execve(2)

CVSS3

4.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

AI Score

6.8

Confidence

Low

SSVC

Exploitation

none

Automatable

no

Technical Impact

partial

JSON

The version of cri-o as released for Red Hat OpenShift Container Platform 4.9.48, 4.10.31, and 4.11.6 via RHBA-2022:6316, RHBA-2022:6257, and RHBA-2022:6658, respectively, included an incorrect version of cri-o missing the fix for CVE-2022-27652, which was previously fixed in OCP 4.9.41 and 4.10.12 via RHBA-2022:5433 and RHSA-2022:1600. This issue could allow an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. For more details, see https://access.redhat.com/security/cve/CVE-2022-27652.

CNA Affected

[
  {
    "cpes": [
      "cpe:/a:redhat:openshift:4.12::el8",
      "cpe:/a:redhat:openshift:4.12::el9",
      "cpe:/a:redhat:openshift_ironic:4.12::el9"
    ],
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift Container Platform 4.12",
    "versions": [
      {
        "status": "unaffected",
        "version": "0:1.25.1-5.rhaos4.12.git6005903.el9",
        "lessThan": "*",
        "versionType": "rpm"
      }
    ],
    "packageName": "cri-o",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "defaultStatus": "affected"
  },
  {
    "cpes": [
      "cpe:/a:redhat:openshift:3.11"
    ],
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift Container Platform 3.11",
    "packageName": "cri-o",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "defaultStatus": "unknown"
  }
]

Related

prion 2
nvd 2
cvelist 2
cve 2
redhatcve 2
github 1
osv 3
veracode 2
altlinux 1
nessus 3
redhat 8
prion
prion
Design/Logic Flaw
2023-09-15 14:15:00
Default credentials
2022-04-18 17:15:00
nvd
nvd
CVE-2022-3466
2023-09-15 14:15:08
CVE-2022-27652
2022-04-18 17:15:16
cvelist
cvelist
CVE-2022-3466 Cri-o: security regression of cve-2022-27652
2023-09-15 13:18:27
CVE-2022-27652
2022-04-18 16:20:29
cve
cve
CVE-2022-3466
2023-09-15 14:15:08
CVE-2022-27652
2022-04-18 17:15:16
redhatcve
redhatcve
CVE-2022-3466
2022-10-13 20:01:19
CVE-2022-27652
2022-03-31 20:48:35
github
github
Incorrect Default Permissions in CRI-O
2022-04-22 20:42:46
osv
osv
Incorrect Default Permissions in CRI-O in github.com/cri-o/cri-o
2024-08-21 15:11:31
CVE-2022-27652
2022-04-18 17:15:16
Incorrect Default Permissions in CRI-O
2022-04-22 20:42:46
veracode
veracode
Insecure Defaults
2022-04-25 08:12:13
Privilege Escalation
2023-01-31 00:46:09
altlinux
altlinux
Security fix for the ALT Linux 10 package cri-o version 1.26.2-alt1
2023-03-29 00:00:00
nessus
nessus
RHEL 8 : OpenShift Container Platform 4.10.12 (RHSA-2022:1600)
2022-05-02 00:00:00
RHEL 8 / 9 : OpenShift Container Platform 4.12.0 (RHSA-2022:7398)
2024-04-28 00:00:00
RHCOS 4 : OpenShift Container Platform 4.12.0 (RHSA-2022:7398)
2024-01-24 00:00:00
redhat
redhat
(RHSA-2022:1600) Moderate: OpenShift Container Platform 4.10.12 security update
2022-05-02 18:14:27
(RHSA-2022:7398) Moderate: OpenShift Container Platform 4.12.0 packages and security update
2023-01-17 14:27:50
(RHSA-2024:1072) Moderate: Red Hat Ansible Automation Platform 2.4 Container Release Security and Bug Fix Update
2024-03-04 20:05:36

CVSS3

4.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

AI Score

6.8

Confidence

Low

SSVC

Exploitation

none

Automatable

no

Technical Impact

partial

JSON
Related for VULNRICHMENT:CVE-2022-3466
prion2nvd2cvelist2cve2redhatcve2github1osv3veracode2altlinux1nessus3redhat8