Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS00d2pqLWp3YzktMng5Ns4AAuwz

Podman's incorrect handling of the supplementary groups may lead to data disclosure, modification

An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.

Permalink: https://github.com/advisories/GHSA-4wjj-jwc9-2x96
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00d2pqLWp3YzktMng5Ns4AAuwz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago

CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Identifiers: GHSA-4wjj-jwc9-2x96, CVE-2022-2989
References:

Repository: https://github.com/containers/podman
Blast Radius: 13.5

Affected Packages

go:github.com/containers/podman/v3

Dependent packages: 127
Dependent repositories: 53
Downloads:
Affected Version Ranges: < 3.0.1
Fixed in: 3.0.1
All affected versions: 3.0.0
All unaffected versions: 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.3.0, 3.3.1, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7

go:github.com/containers/podman/v4

Dependent packages: 60
Dependent repositories: 80
Downloads:
Affected Version Ranges: < 4.2.0
Fixed in: 4.2.0
All affected versions: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.1.1
All unaffected versions: 4.2.0, 4.2.1, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.5.0, 4.5.1, 4.6.0, 4.6.1, 4.6.2, 4.7.0, 4.7.1, 4.7.2, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.9.0