Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mam04LW03bTYtMmZqcM4AAuw0
Buildah's incorrect handling of the supplementary groups may lead to data disclosure, modification
An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
Permalink: https://github.com/advisories/GHSA-fjm8-m7m6-2fjpJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mam04LW03bTYtMmZqcM4AAuw0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-fjm8-m7m6-2fjp, CVE-2022-2990
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-2990
- https://bugzilla.redhat.com/show_bug.cgi?id=2121453
- https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
- https://github.com/containers/buildah/pull/4200
- https://github.com/containers/buildah/commit/4a8bf740e862f2438279c6feee2ea59ddf0cda0b
- https://access.redhat.com/security/cve/CVE-2022-2990
- https://pkg.go.dev/vuln/GO-2022-1008
- https://github.com/advisories/GHSA-fjm8-m7m6-2fjp
Blast Radius: 17.8
Affected Packages
go:github.com/containers/buildah
Dependent packages: 216Dependent repositories: 321
Downloads:
Affected Version Ranges: < 1.27.1
Fixed in: 1.27.1
All affected versions: 0.16.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.10.1, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.11.5, 1.11.6, 1.11.7, 1.12.0, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.14.4, 1.14.5, 1.14.6, 1.14.7, 1.14.8, 1.14.9, 1.14.10, 1.14.11, 1.15.0, 1.15.1, 1.15.2, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.16.4, 1.16.5, 1.16.6, 1.16.7, 1.16.8, 1.17.0, 1.17.1, 1.17.2, 1.18.0, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.19.4, 1.19.6, 1.19.7, 1.19.8, 1.19.9, 1.19.10, 1.19.11, 1.20.0, 1.20.1, 1.20.2, 1.21.0, 1.21.1, 1.21.2, 1.21.3, 1.21.4, 1.21.5, 1.22.0, 1.22.1, 1.22.2, 1.22.3, 1.22.4, 1.22.5, 1.23.0, 1.23.1, 1.23.2, 1.23.3, 1.23.4, 1.23.5, 1.24.0, 1.24.1, 1.24.2, 1.24.3, 1.24.4, 1.24.5, 1.24.6, 1.25.0, 1.25.1, 1.26.0, 1.26.1, 1.26.2, 1.26.3, 1.26.4, 1.26.5, 1.26.6, 1.27.0
All unaffected versions: 1.27.1, 1.27.2, 1.27.3, 1.28.0, 1.28.1, 1.28.2, 1.29.0, 1.29.1, 1.29.2, 1.30.0, 1.31.0, 1.31.1, 1.31.2, 1.31.3, 1.31.4, 1.32.0, 1.32.1, 1.32.2, 1.33.0, 1.33.1, 1.33.2, 1.33.3, 1.34.0