Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2022-27652  

A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.

Source

Description

A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.

Statement

This issue is related to the general vulnerability found in Moby (Docker Engine), which has been assigned CVE-2022-24769.

This issue is related to the general vulnerability found in Moby (Docker Engine), which has been assigned CVE-2022-24769.

Mitigation

The entry point of a container can be modified to use a utility like capsh(1) to drop inheritable capabilities prior to the primary process starting.

Additional Information

  • Bugzilla 2066839: CVE-2022-27652 cri-o: Default inheritable capabilities for linux container should be empty
  • CWE-276: Incorrect Default Permissions
  • FAQ: Frequently asked questions about CVE-2022-27652

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started