CVE-2022-2990

2022-09-1314:15:08

Alpine Linux Development Team

security.alpinelinux.org

buildah

container engine

sensitive information disclosure

data modification

supplementary groups

7.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

7.4 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.9%

JSON

An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.

OSVersionArchitecturePackageVersionFilename
Alpineedge-communitynoarchbuildah< 1.28.0-r0UNKNOWN
Alpine3.17-communitynoarchbuildah< 1.28.0-r0UNKNOWN
Alpine3.18-communitynoarchbuildah< 1.28.0-r0UNKNOWN
Alpine3.19-communitynoarchbuildah< 1.28.0-r0UNKNOWN
Alpine3.20-communitynoarchbuildah< 1.28.0-r0UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Alpine	edge-community	noarch	buildah	< 1.28.0-r0	UNKNOWN
Alpine	3.17-community	noarch	buildah	< 1.28.0-r0	UNKNOWN
Alpine	3.18-community	noarch	buildah	< 1.28.0-r0	UNKNOWN
Alpine	3.19-community	noarch	buildah	< 1.28.0-r0	UNKNOWN
Alpine	3.20-community	noarch	buildah	< 1.28.0-r0	UNKNOWN