CVE-2022-2990

2022-09-1314:15:08

Debian Security Bug Tracker

security-tracker.debian.org

buildah

sensitive information

data modification

supplementary groups

access permissions

binary code

container security

CVSS3

7.1

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

17.8%

JSON

An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.

OSVersionArchitecturePackageVersionFilename
Debian12allgolang-github-containers-buildah< 1.28.0+ds1-2golang-github-containers-buildah_1.28.0+ds1-2_all.deb
Debian11allgolang-github-containers-buildah<= 1.19.6+dfsg1-1golang-github-containers-buildah_1.19.6+dfsg1-1_all.deb
Debian999allgolang-github-containers-buildah< 1.28.0+ds1-2golang-github-containers-buildah_1.28.0+ds1-2_all.deb
Debian13allgolang-github-containers-buildah< 1.28.0+ds1-2golang-github-containers-buildah_1.28.0+ds1-2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	golang-github-containers-buildah	< 1.28.0+ds1-2	golang-github-containers-buildah_1.28.0+ds1-2_all.deb
Debian	11	all	golang-github-containers-buildah	<= 1.19.6+dfsg1-1	golang-github-containers-buildah_1.19.6+dfsg1-1_all.deb
Debian	999	all	golang-github-containers-buildah	< 1.28.0+ds1-2	golang-github-containers-buildah_1.28.0+ds1-2_all.deb
Debian	13	all	golang-github-containers-buildah	< 1.28.0+ds1-2	golang-github-containers-buildah_1.28.0+ds1-2_all.deb