PT-2022-18548 · Docker+7 · Moby+7

Andrew Morgan

·

Published

2022-04-01

·

Updated

2024-06-15

·

CVE-2022-27651

CVSS v3.1

6.8

Medium

VectorAV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions Buildah (affected versions not specified) Moby (Docker Engine) (affected versions not specified)
Description A flaw was found in buildah and Moby (Docker Engine) where containers were incorrectly started with non-empty default permissions and non-empty inheritable Linux process capabilities. This enables an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs, potentially impacting confidentiality and integrity. The bug does not affect the container security sandbox, as the inheritable set never contains more capabilities than are included in the container's bounding set.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-276

Related Identifiers

ALSA-2022:1565
ALSA-2022:1566
ALSA-2022:1762
ALT-PU-2022-1655
ALT-PU-2023-7894
ALT-PU-2024-7024
AZL-11513
AZL-36934
AZL-39870
AZL-9318
CESA-2022_1565
CESA-2022_1566
CESA-2022_1762
CVE-2022-27651
GHSA-C3G4-W6CV-6V7H
GO-2022-0417
MGASA-2023-0213
OPENSUSE-SU-2022_1437-1
OPENSUSE-SU-2022_2680-1
OPENSUSE-SU-2024:11964-1
RHSA-2022:1407
RHSA-2022:1565
RHSA-2022:1566
RHSA-2022:1762
RHSA-2022:4651
RHSA-2022:4816
RHSA-2022_1565
RHSA-2022_1566
RHSA-2022_1762
RLSA-2022:1565
RLSA-2022:1566
RLSA-2022:1762
ROSA-SA-2023-2227
SUSE-SU-2022:1437-1
SUSE-SU-2022:2680-1
SUSE-SU-2022:3480-1
SUSE-SU-2022_1437-1
SUSE-SU-2022_2680-1

Affected Products

Alt Linux
Almalinux
Centos
Debian
Moby
Red Hat
Rocky Linux
Suse