CVE-2022-2995: Incorrect Permission Assignment for Critical Resource

September 20, 2022 (updated September 21, 2022)

Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.

References

github.com/advisories/GHSA-phjr-8j92-w5v7
github.com/cri-o/cri-o/commit/db3b399a8d7dabf7f073db73894bee98311d7909
github.com/cri-o/cri-o/pull/6159
nvd.nist.gov/vuln/detail/CVE-2022-2995
www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/

Code Behaviors & Features

Detect and mitigate CVE-2022-2995 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →