CVE-2022-27649: Incorrect Default Permissions

April 4, 2022 (updated November 7, 2023)

A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.

References

bugzilla.redhat.com/show_bug.cgi?id=2066568
github.com/containers/podman/commit/aafa80918a245edcbdaceb1191d749570f1872d0
github.com/containers/podman/security/advisories/GHSA-qvf8-p83w-v58j
nvd.nist.gov/vuln/detail/CVE-2022-27649

Detect and mitigate CVE-2022-27649 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →