Bugzilla – Bug 1206370
VUL-0: CVE-2022-4318: cri-o: /etc/passwd tampering privesc
Last modified: 2022-12-14 09:18:41 UTC
Tested with OCP 4.10.0-0.okd-2022-06-10-131327 & 4.11.7
It is possible to craft an environment variable with newlines to add entries to /etc/passwd. Using the default SCC prevents the privesc (so reducing impact to moderate). Better to sanitize the home directory.
Using non-default SCC (anyuid, for example) does allow the process to become root on the host. As the container author, you could already just add the problematic line into /etc/passwd rather that injecting it into the HOME environment variable. Thus, impact is moderate as exploitation is unlikely, limiting impact to confidentiality. However, the input should be sanitized and this should be fixed.