CVE-2022-2989
13.09.2022, 14:15
An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| podman_project | podman | * |
| redhat | openshift_container_platform | 3.11 |
| redhat | openshift_container_platform | 4.0 |
| redhat | enterprise_linux | 7.0 |
| redhat | enterprise_linux | 8.0 |
| redhat | enterprise_linux | 9.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
openSUSE / SLES Releases
openSUSE Product | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| podman |
| ||||||||||||||||||||
| podman-cni-config |
| ||||||||||||||||||||
| podman-docker |
| ||||||||||||||||||||
| podman-remote |
| ||||||||||||||||||||
| podmansh |
|
Red Hat Enterprise Linux Releases
Red Hat Product | |||
|---|---|---|---|
| buildah |
| ||
| buildah-tests |
| ||
| podman |
| ||
| podman-catatonit |
| ||
| podman-docker |
| ||
| podman-gvproxy |
| ||
| podman-plugins |
| ||
| podman-remote |
| ||
| podman-tests |
|
Common Weakness Enumeration
- CWE-842 - Placement of User into Incorrect GroupThe software or the administrator places a user into an incorrect group.
- CWE-863 - Incorrect AuthorizationThe software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
References