Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mam04LW03bTYtMmZqcM4AAuw0
Buildah's incorrect handling of the supplementary groups may lead to data disclosure, modification
An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
Permalink: https://github.com/advisories/GHSA-fjm8-m7m6-2fjpJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mam04LW03bTYtMmZqcM4AAuw0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago
CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Percentage: 0.00046
EPSS Percentile: 0.19021
Identifiers: GHSA-fjm8-m7m6-2fjp, CVE-2022-2990
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-2990
- https://bugzilla.redhat.com/show_bug.cgi?id=2121453
- https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
- https://github.com/containers/buildah/pull/4200
- https://github.com/containers/buildah/commit/4a8bf740e862f2438279c6feee2ea59ddf0cda0b
- https://access.redhat.com/security/cve/CVE-2022-2990
- https://pkg.go.dev/vuln/GO-2022-1008
- https://github.com/advisories/GHSA-fjm8-m7m6-2fjp
Blast Radius: 17.8
Affected Packages
go:github.com/containers/buildah
Dependent packages: 260Dependent repositories: 321
Downloads:
Affected Version Ranges: < 1.27.1
Fixed in: 1.27.1
All affected versions: 0.16.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.10.1, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.11.5, 1.11.6, 1.11.7, 1.12.0, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.14.4, 1.14.5, 1.14.6, 1.14.7, 1.14.8, 1.14.9, 1.14.10, 1.14.11, 1.15.0, 1.15.1, 1.15.2, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.16.4, 1.16.5, 1.16.6, 1.16.7, 1.16.8, 1.17.0, 1.17.1, 1.17.2, 1.18.0, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.19.4, 1.19.6, 1.19.7, 1.19.8, 1.19.9, 1.19.10, 1.19.11, 1.20.0, 1.20.1, 1.20.2, 1.21.0, 1.21.1, 1.21.2, 1.21.3, 1.21.4, 1.21.5, 1.22.0, 1.22.1, 1.22.2, 1.22.3, 1.22.4, 1.22.5, 1.23.0, 1.23.1, 1.23.2, 1.23.3, 1.23.4, 1.23.5, 1.24.0, 1.24.1, 1.24.2, 1.24.3, 1.24.4, 1.24.5, 1.24.6, 1.24.7, 1.25.0, 1.25.1, 1.26.0, 1.26.1, 1.26.2, 1.26.3, 1.26.4, 1.26.5, 1.26.6, 1.26.7, 1.27.0
All unaffected versions: 1.27.1, 1.27.2, 1.27.3, 1.27.4, 1.28.0, 1.28.1, 1.28.2, 1.29.0, 1.29.1, 1.29.2, 1.29.3, 1.29.4, 1.30.0, 1.31.0, 1.31.1, 1.31.2, 1.31.3, 1.31.4, 1.31.5, 1.32.0, 1.32.1, 1.32.2, 1.32.3, 1.33.0, 1.33.1, 1.33.2, 1.33.3, 1.33.4, 1.33.5, 1.33.6, 1.33.7, 1.33.8, 1.33.10, 1.34.0, 1.34.1, 1.34.2, 1.34.3, 1.35.0, 1.35.1, 1.35.2, 1.35.3, 1.35.4, 1.36.0, 1.37.0, 1.37.1, 1.37.2, 1.37.3, 1.37.4, 1.37.5