PT-2022-18547 · Docker+5 · Moby+5

Andrew Morgan

Published

2022-03-24

Updated

2024-06-15

CVE-2022-27650

CVSS v3.1

8.0

High

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Moby (Docker Engine) (affected versions not specified) crun (affected versions not specified)

Description A flaw was found in crun and Moby (Docker Engine) where containers were started incorrectly with non-empty inheritable Linux process capabilities. This issue allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.

Recommendations For Moby (Docker Engine), at the moment, there is no information about a newer version that contains a fix for this vulnerability. For crun, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-276

Related Identifiers

ALSA-2022:1762

ALSA-2022:1793

ALT-PU-2022-1571

ALT-PU-2023-1487

CESA-2022_1762

CESA-2022_1793

CVE-2022-27650

GHSA-WR4F-W546-M398

MGASA-2022-0141

OPENSUSE-SU-2024:11989-1

RHSA-2022:1762

RHSA-2022:1793

RHSA-2022_1762

RHSA-2022_1793

RLSA-2022:1762

RLSA-2022:1793

Affected Products

Alt Linux

Almalinux

Centos

Moby

Red Hat

Rocky Linux

PT-2022-18547 · Docker+5 · Moby+5

CVE-2022-27650

Weakness Enumeration

Related Identifiers

Affected Products

References · 74