CVE-2022-29526
First published: Wed May 11 2022(Updated: )
A flaw was found in the syscall.Faccessat function when calling a process by checking the group. This flaw allows an attacker to check the process group permissions rather than a member of the file's group, affecting system availability.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/servicemesh-operator | <0:2.1.5-1.el8 | 0:2.1.5-1.el8 |
| redhat/servicemesh-prometheus | <0:2.23.0-9.el8 | 0:2.23.0-9.el8 |
| redhat/golang | <0:1.17.12-1.el9_0 | 0:1.17.12-1.el9_0 |
| redhat/go-toolset | <0:1.17.12-1.el9_0 | 0:1.17.12-1.el9_0 |
| redhat/atomic-openshift-service-idler | <0:4.10.0-202207192015.p0.g39cfc66.assembly.stream.el8 | 0:4.10.0-202207192015.p0.g39cfc66.assembly.stream.el8 |
| redhat/cri-o | <0:1.23.3-11.rhaos4.10.gitddf4b1a.1.el8 | 0:1.23.3-11.rhaos4.10.gitddf4b1a.1.el8 |
| redhat/openshift | <0:4.10.0-202207192015.p0.g012e945.assembly.stream.el8 | 0:4.10.0-202207192015.p0.g012e945.assembly.stream.el8 |
| redhat/openshift-clients | <0:4.10.0-202207192015.p0.g45460a5.assembly.stream.el8 | 0:4.10.0-202207192015.p0.g45460a5.assembly.stream.el8 |
| Golang Go | <1.17.10 | |
| Golang Go | >=1.18.0<1.18.2 | |
| Linux Linux kernel | ||
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| Netapp Beegfs Csi Driver | ||
| redhat/go | <1.17.10 | 1.17.10 |
| redhat/go | <1.18.2 | 1.18.2 |
| go/golang.org/x/sys | <0.0.0-20220412211240-33da011f77ad | 0.0.0-20220412211240-33da011f77ad |
| All of | ||
| Any of | ||
| Golang Go | <1.17.10 | |
| Golang Go | >=1.18.0<1.18.2 | |
| Linux Linux kernel | ||
| debian/golang-1.15 | <=1.15.15-1~deb11u4 | |
| IBM Concert Software | <=1.0.0 - 1.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-29526 https://nvd.nist.gov/vuln/detail/CVE-2022-29526 https://groups.google.com/g/golang-announce/c/Y5qrqw_lWdU
- https://bugzilla.redhat.com/show_bug.cgi?id=2084085
- https://access.redhat.com/errata/RHSA-2022:6277
- https://access.redhat.com/errata/RHSA-2022:5699
- https://access.redhat.com/errata/RHSA-2022:5392
- https://access.redhat.com/errata/RHSA-2023:3642
- https://access.redhat.com/errata/RHSA-2022:5337
- https://access.redhat.com/errata/RHSA-2022:5799
- https://access.redhat.com/errata/RHSA-2022:5840
- https://access.redhat.com/errata/RHSA-2022:5729
- https://access.redhat.com/errata/RHSA-2022:6156
- https://access.redhat.com/errata/RHSA-2022:6714
- https://access.redhat.com/errata/RHSA-2023:0408
- https://access.redhat.com/errata/RHSA-2023:1529
- https://access.redhat.com/security/cve/cve-2022-29526
- https://github.com/golang/go/issues/52313
- https://groups.google.com/g/golang-announce
- https://groups.google.com/g/golang-announce/c/Y5qrqw_lWdU
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q6GE5EQGE4L2KRVGW4T75QVIYAXCLO5X/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/
- https://security.gentoo.org/glsa/202208-02
- https://security.netapp.com/advisory/ntap-20220729-0001/
- https://go.dev/issue/52313
- https://github.com/golang/go/commit/f66925e854e71e0c54b581885380a490d7afa30c
- https://github.com/golang/go/commit/04781d14d2d33acbaf70f77e3a58ae0f3c90757c
- https://github.com/golang/go/commit/c0599c5b781de023974519194df6b0c4ebb0adff
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2093091
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2093092
- https://access.redhat.com/errata/RHSA-2022:5201
- https://nvd.nist.gov/vuln/detail/CVE-2022-29526
- https://go.dev/cl/399539
- https://go.dev/cl/400074
- https://pkg.go.dev/vuln/GO-2022-0493
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q6GE5EQGE4L2KRVGW4T75QVIYAXCLO5X
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR
- https://security.netapp.com/advisory/ntap-20220729-0001
- https://github.com/advisories/GHSA-p782-xgp4-8hr8 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q6GE5EQGE4L2KRVGW4T75QVIYAXCLO5X/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526
- https://launchpad.net/bugs/cve/CVE-2022-29526
- https://security-tracker.debian.org/tracker/CVE-2022-29526
- https://ubuntu.com/security/CVE-2022-29526
- https://github.com/golang/go/commit/60f78765022a59725121d3b800268adffe78bde3
- https://www.ibm.com/support/pages/node/7173596 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2022-29526?
The severity of CVE-2022-29526 is medium with a CVSS score of 6.2.
How does CVE-2022-29526 impact Golang Go?
CVE-2022-29526 allows a remote attacker to obtain sensitive information in Golang Go.
What is the affected software for CVE-2022-29526?
The affected software for CVE-2022-29526 includes Golang Go versions before 1.17.10 and 1.18.x before 1.18.2, as well as specific Red Hat packages and other related software.
How can I fix CVE-2022-29526?
To fix CVE-2022-29526, update Golang Go to version 1.17.10 or 1.18.2 and apply the necessary patches from the vendor for other affected software.
Where can I find more information about CVE-2022-29526?
More information about CVE-2022-29526 can be found on the NIST NVD website, the Golang Go GitHub repository, and the Golang-announce Google group.
- collector/redhat-cve
- collector/nvd-index
- agent/author
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-29526
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-p782-xgp4-8hr8
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- collector/launchpad-cve
- source/Launchpad
- agent/description
- collector/security-tracker-debian
- source/Debian
- collector/ibm-support
- source/IBM
- agent/severity
- agent/references
- agent/softwarecombine
- agent/tags
- agent/event
- collector/nvd-cve
- source/NVD
- agent/last-modified-date
- agent/trending
- package-manager/redhat
- vendor/golang
- canonical/golang go
- version/golang go/1.18.0
- vendor/linux
- canonical/linux linux kernel
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- vendor/netapp
- canonical/netapp beegfs csi driver
- package-manager/go
- package-manager/debian
- vendor/ibm
- canonical/ibm concert software
- version/ibm concert software/1.0.0 - 1.0.1