Cri-o: security regression of cve-2022-27652
CVE-2022-3466

4.8MEDIUM

Key Information:

Vendor
Red Hat
Status
Red Hat Openshift Container Platform 4.12
Red Hat Openshift Container Platform 3.11
Vendor
CVE Published:
15 September 2023

Summary

The version of cri-o as released for Red Hat OpenShift Container Platform 4.9.48, 4.10.31, and 4.11.6 via RHBA-2022:6316, RHBA-2022:6257, and RHBA-2022:6658, respectively, included an incorrect version of cri-o missing the fix for CVE-2022-27652, which was previously fixed in OCP 4.9.41 and 4.10.12 via RHBA-2022:5433 and RHSA-2022:1600. This issue could allow an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. For more details, see https://access.redhat.com/security/cve/CVE-2022-27652.

Affected Version(s)

Red Hat OpenShift Container Platform 4.12 0:1.25.1-5.rhaos4.12.git6005903.el9

References

https://access.redhat.com/errata/RHSA-2022:7398
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2022-3466
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2134063
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.