Bug 1202806 - (CVE-2022-2995) VUL-0: CVE-2022-2995: cri-o: incorrect handling of the supplementary groups
(CVE-2022-2995)
VUL-0: CVE-2022-2995: cri-o: incorrect handling of the supplementary groups
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Jeff Kowalczyk
Security Team bot
https://smash.suse.de/issue/340894/
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-08-26 09:03 UTC by Thomas Leroy
Modified: 2022-08-26 09:15 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-08-26 09:03:06 UTC
rh#2121632

Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data
modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.

https://github.com/cri-o/cri-o/pull/6159

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2121632
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2995
Comment 1 Thomas Leroy 2022-08-26 09:09:48 UTC
CVSS below 8.0 so I guess it's a wontfix for CaaSP.
However, the following openSUSE codestreams are affected:
- openSUSE:Leap:15.3
- openSUSE:Leap:15.4
- openSUSE:Factory