CVE-2022-2995
First published: Thu Aug 25 2022(Updated: )
Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/cri-o | <1.25.0 | 1.25.0 |
| redhat/cri-o | <0:1.23.5-11.rhaos4.10.gitfc32aac.el7 | 0:1.23.5-11.rhaos4.10.gitfc32aac.el7 |
| redhat/cri-o | <0:1.24.5-5.rhaos4.11.git8bf967b.el8 | 0:1.24.5-5.rhaos4.11.git8bf967b.el8 |
| redhat/cri-o | <0:1.25.1-5.rhaos4.12.git6005903.el8 | 0:1.25.1-5.rhaos4.12.git6005903.el8 |
| go/github.com/cri-o/cri-o | <1.25.0 | 1.25.0 |
| Kubernetes CRI-O | =1.25.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2022-2995
- https://github.com/cri-o/cri-o/pull/6159
- https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
- https://github.com/cri-o/cri-o/commit/db3b399a8d7dabf7f073db73894bee98311d7909
- https://github.com/advisories/GHSA-phjr-8j92-w5v7 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2121635
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2121637
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2121638
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2121636
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2121639
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2121640
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2121641
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2121642
- https://access.redhat.com/errata/RHSA-2022:7398
- https://access.redhat.com/security/cve/cve-2022-2995
- https://access.redhat.com/errata/RHSA-2023:3216
- https://access.redhat.com/errata/RHSA-2023:3541
- https://bugzilla.redhat.com/show_bug.cgi?id=2121632
- https://www.cve.org/CVERecord?id=CVE-2022-2995 https://nvd.nist.gov/vuln/detail/CVE-2022-2995 https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2022-2995?
CVE-2022-2995 is a vulnerability in the CRI-O container engine that can lead to sensitive information disclosure or possible data modification.
What is the severity of CVE-2022-2995?
The severity of CVE-2022-2995 is high with a CVSS score of 7.1.
How does CVE-2022-2995 affect CRI-O?
CVE-2022-2995 affects CRI-O by incorrectly handling the supplementary groups, which can result in sensitive information disclosure or possible data modification.
How can I mitigate CVE-2022-2995?
To mitigate CVE-2022-2995, update CRI-O to version 1.25.0 or apply the recommended patches provided by Red Hat.
Where can I find more information about CVE-2022-2995?
You can find more information about CVE-2022-2995 on the NIST NVD website, the GitHub pull request, and the Bentham's Gaze article.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/github-advisory
- alias/GHSA-phjr-8j92-w5v7
- alias/CVE-2022-2995
- collector/nvd-cve
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/redhat-cve
- package-manager/go
- vendor/kubernetes
- canonical/kubernetes cri-o
- version/kubernetes cri-o/1.25.0
- package-manager/redhat