Privilege escalation through command injection in fscrypt
CVE-2022-25328

5MEDIUM

Key Information:

Vendor: Google
Status: Fscrypt
Vendor: CVE Published:; 25 February 2022

Summary

The bash_completion script for fscrypt allows injection of commands via crafted mountpoint paths, allowing privilege escalation under a specific set of circumstances. A local user who has control over mountpoint paths could potentially escalate their privileges if they create a malicious mountpoint path and if the system administrator happens to be using the fscrypt bash completion script to complete mountpoint paths. We recommend upgrading to version 0.3.3 or above

Affected Version(s)

fscrypt <= 0.3.2

References

https://github.com/google/fscrypt/pull/346

x_refsource_MISC

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 25, 2022
Vulnerability Reserved
Feb 18, 2022

Collectors

NVD DatabaseMitre Database

Credit

Matthias Gerstner of SUSE