Buildah
CVE-2022-2990
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
AnalysisAI
An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-842. An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container. Affected products include: Buildah Project Buildah, Redhat Openshift Container Platform, Redhat Enterprise Linux.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
A path traversal flaw was found in Buildah in versions before 1.14.5. Rated high severity (CVSS 8.8), this vulnerability
A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. Rated medium s
The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version
Alpine Linux: buildah fixed in 1.37.5-r0
Same weakness CWE-842 – Placement of User into Incorrect Group
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today