CVE-2022-27652: Incorrect Default Permissions in CRI-O

April 22, 2022

A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.

References

bugzilla.redhat.com/show_bug.cgi?id=2066839
github.com/advisories/GHSA-4hj2-r2pm-3hc6
github.com/cri-o/cri-o/security/advisories/GHSA-4hj2-r2pm-3hc6
nvd.nist.gov/vuln/detail/CVE-2022-27652

Code Behaviors & Features

Detect and mitigate CVE-2022-27652 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →