CVE-2022-2738

2022-09-0121:15:09

CWE-416

redhat

web.nvd.nist.gov

podman

red hat enterprise linux

cve-2022-2738

rhsa-2022:2190

advisory

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

0.012

Percentile

85.0%

JSON

The version of podman as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 advisory included an incorrect version of podman missing the fix for CVE-2020-8945, which was previously fixed via RHSA-2020:2117. This issue could possibly be used to crash or cause potential code execution in Go applications that use the Go GPGME wrapper library, under certain conditions, during GPG signature verification.

Affected configurations

Nvd

Vulners

Node

redhatenterprise_linux_serverMatch7.0

redhatenterprise_linux_workstationMatch7.0

Node

podman_projectpodmanMatch1.6.4-32.el7_9

VendorProductVersionCPE
redhatenterprise_linux_server7.0cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
redhatenterprise_linux_workstation7.0cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
podman_projectpodman1.6.4-32.el7_9cpe:2.3:a:podman_project:podman:1.6.4-32.el7_9:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	enterprise_linux_server	7.0	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
redhat	enterprise_linux_workstation	7.0	cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*
podman_project	podman	1.6.4-32.el7_9	cpe:2.3:a:podman_project:podman:1.6.4-32.el7_9:::::::*

CNA Affected

[
  {
    "product": "podman",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "podman 1.6.4-32.el7_9"
      }
    ]
  }
]