CVE-2022-27650

EUVD-2022-32150
A flaw was found in crun where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 26%
Affected Products (NVD)
VendorProductVersion
crun_projectcrun
𝑥
< 1.4.4
redhatopenshift_container_platform
4.0
redhatenterprise_linux
8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
crun
bookworm
1.8.1-1+deb12u1
fixed
bullseye
0.17+dfsg-1+deb11u2
fixed
sid
1.18.2-1
fixed
trixie
1.18-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
crun
focal
needs-triage
impish
ignored
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
trusty
ignored
xenial
ignored
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=2066845
https://github.com/containers/crun/commit/1aeeed2e4fdeffb4875c0d0b439915894594c8c6
https://github.com/containers/crun/security/advisories/GHSA-wr4f-w546-m398
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYIGABCZ7ZHAG2XCOGITTQRJU2ASWMFA/
https://bugzilla.redhat.com/show_bug.cgi?id=2066845
https://github.com/containers/crun/commit/1aeeed2e4fdeffb4875c0d0b439915894594c8c6
https://github.com/containers/crun/security/advisories/GHSA-wr4f-w546-m398
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYIGABCZ7ZHAG2XCOGITTQRJU2ASWMFA/