Vulnerability Details : CVE-2022-27652
A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
Products affected by CVE-2022-27652
- cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:cri-o:-:*:*:*:*:*:*:*
- cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-27652
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 11 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-27652
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.6
|
MEDIUM | AV:L/AC:L/Au:N/C:P/I:P/A:P |
3.9
|
6.4
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
1.8
|
3.4
|
NIST |
CWE ids for CVE-2022-27652
-
During installation, installed file permissions are set to allow anyone to modify those files.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2022-27652
-
https://bugzilla.redhat.com/show_bug.cgi?id=2066839
2066839 – (CVE-2022-27652) CVE-2022-27652 cri-o: Default inheritable capabilities for linux container should be emptyIssue Tracking;Third Party Advisory
-
https://github.com/cri-o/cri-o/security/advisories/GHSA-4hj2-r2pm-3hc6
Default inheritable capabilities for linux container should be empty · Advisory · cri-o/cri-o · GitHubMitigation;Third Party Advisory
Jump to