CVE-2022-27650

Name
CVE-2022-27650
Description
A flaw was found in crun where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://bugzilla.redhat.com/show_bug.cgi?id=2066845
MISC https://github.com/containers/crun/commit/1aeeed2e4fdeffb4875c0d0b439915894594c8c6
MISC https://github.com/containers/crun/security/advisories/GHSA-wr4f-w546-m398
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HYIGABCZ7ZHAG2XCOGITTQRJU2ASWMFA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYIGABCZ7ZHAG2XCOGITTQRJU2ASWMFA/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:crun_project:crun:*:*:*:*:*:*:*:* crun >= None < 1.4.4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
crun edge-community 1.4.4-r0 Michał Polański <michal@polanski.me> fixed
crun 3.22-community 1.4.4-r0 None fixed
crun 3.21-community 1.4.4-r0 None fixed
crun 3.20-community 1.4.4-r0 None fixed
crun 3.19-community 1.4.4-r0 None fixed
crun 3.18-community 1.4.4-r0 None fixed
crun 3.17-community 1.4.4-r0 None fixed