Sensitive Information Disclosure in CRI-O Container Engine by Red Hat
CVE-2022-2995

7.1HIGH

Key Information:

Vendor: Kubernetes
Status: Cri-o
Vendor: CVE Published:; 19 September 2022

What is CVE-2022-2995?

The CRI-O container engine, developed by Red Hat, exhibits vulnerabilities in the handling of supplementary groups that could lead to unauthorized access to sensitive information or potential data manipulation. If an attacker gains direct access to a vulnerable container where supplementary groups dictate access permissions, they may execute arbitrary code within the container environment. This situation underscores the need for strict access controls and regular security assessments to mitigate risks associated with container deployments.

Affected Version(s)

cri-o cri-o 1.25.0

References

https://www.benthamsgaze.org/2022/08/22/vulnerability-in-...

x_refsource_MISC

https://github.com/cri-o/cri-o/pull/6159

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 19, 2022
Vulnerability Reserved
Aug 25, 2022

Kubernetes

What is CVE-2022-2995?

Affected Version(s)

References

CVSS V3.1

Timeline