Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1waGpyLThqOTItdzV2N84AAu6n
CRI-O incorrect handling of supplementary groups may lead to sensitive information disclosure
Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
Permalink: https://github.com/advisories/GHSA-phjr-8j92-w5v7JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1waGpyLThqOTItdzV2N84AAu6n
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: 8 months ago
CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-phjr-8j92-w5v7, CVE-2022-2995
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-2995
- https://github.com/cri-o/cri-o/pull/6159
- https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
- https://github.com/cri-o/cri-o/commit/db3b399a8d7dabf7f073db73894bee98311d7909
- https://github.com/advisories/GHSA-phjr-8j92-w5v7
Affected Packages
go:github.com/cri-o/cri-o
Versions: < 1.25.0Fixed in: 1.25.0