CVE-2022-2995

Name of the Vulnerable Software and Affected Versions CRI-O (affected versions not specified)

Description The issue is related to the incorrect handling of supplementary groups in the CRI-O container engine, which may lead to sensitive information disclosure or possible data modification. This can occur if an attacker has direct access to the affected container, where supplementary groups are used to set access permissions, and is able to execute binary code in that container. The vulnerability is associated with improper control of access and may allow an attacker to disclose confidential information or modify arbitrary data. In some cases, it may also enable privilege escalation within the container. The problem arises when SGID programs are executed in a container, potentially allowing access to files with negative group permissions for the user's primary group.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.