Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00d2pqLWp3YzktMng5Ns4AAuwz
Podman's incorrect handling of the supplementary groups may lead to data disclosure, modification
An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
Permalink: https://github.com/advisories/GHSA-4wjj-jwc9-2x96JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00d2pqLWp3YzktMng5Ns4AAuwz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: almost 2 years ago
CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-4wjj-jwc9-2x96, CVE-2022-2989
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-2989
- https://bugzilla.redhat.com/show_bug.cgi?id=2121445
- https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
- https://github.com/containers/podman/pull/15618
- https://github.com/containers/podman/pull/15677
- https://github.com/containers/podman/pull/15696
- https://access.redhat.com/errata/RHSA-2022:7822
- https://access.redhat.com/errata/RHSA-2022:8008
- https://access.redhat.com/errata/RHSA-2022:8431
- https://access.redhat.com/security/cve/CVE-2022-2989
- https://github.com/advisories/GHSA-4wjj-jwc9-2x96
Blast Radius: 13.5
Affected Packages
go:github.com/containers/podman/v3
Dependent packages: 151Dependent repositories: 53
Downloads:
Affected Version Ranges: < 3.0.1
Fixed in: 3.0.1
All affected versions: 3.0.0
All unaffected versions: 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.3.0, 3.3.1, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7
go:github.com/containers/podman/v4
Dependent packages: 80Dependent repositories: 80
Downloads:
Affected Version Ranges: < 4.2.0
Fixed in: 4.2.0
All affected versions: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.1.1
All unaffected versions: 4.2.0, 4.2.1, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.5.0, 4.5.1, 4.6.0, 4.6.1, 4.6.2, 4.7.0, 4.7.1, 4.7.2, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5