CVE-2022-2990

EPSS 0.3%CWE-842

In short

Buildah container engine incorrectly handles supplementary groups, potentially allowing an attacker with access to a container to read sensitive data or modify files if they can run code inside it.

Technical detail

Buildah's supplementary group handling contains a flaw in access control enforcement. An attacker with code execution privileges within a container can bypass intended file access restrictions enforced via supplementary groups, leading to unauthorized information disclosure or data modification.

Summary generated and translated by AI from the official description.

An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.

Affected products

n/a · buildah

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://bugzilla.redhat.com/show_bug.cgi?id=2121453 https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/