Vulnerability Details : CVE-2022-27651
A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. This has the potential to impact confidentiality and integrity.
Products affected by CVE-2022-27651
- cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-27651
0.13%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 48 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-27651
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.9
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:N |
6.8
|
4.9
|
NIST | |
6.8
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N |
1.6
|
5.2
|
NIST |
CWE ids for CVE-2022-27651
-
During installation, installed file permissions are set to allow anyone to modify those files.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2022-27651
-
https://bugzilla.redhat.com/show_bug.cgi?id=2066840
2066840 – (CVE-2022-27651) CVE-2022-27651 buildah: Default inheritable capabilities for linux container should be emptyIssue Tracking;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VWH6X6HOFPO6HTESF42HIJZEPXSWVIO/
[SECURITY] Fedora 35 Update: buildah-1.23.3-2.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NETC7I6RTMMBRJJQVJOJUPDK4W4PQSJ/
[SECURITY] Fedora 34 Update: buildah-1.23.3-1.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/25YI27MENCEPZTTGRVU6BQD5V53FNI52/
[SECURITY] Fedora 36 Update: buildah-1.25.1-1.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/containers/buildah/security/advisories/GHSA-c3g4-w6cv-6v7h
Default inheritable capabilities for linux container should be empty · Advisory · containers/buildah · GitHubThird Party Advisory
-
https://github.com/containers/buildah/commit/e7e55c988c05dd74005184ceb64f097a0cfe645b
do not set the inheritable capabilities · containers/buildah@e7e55c9 · GitHubPatch;Third Party Advisory
Jump to