Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/cri-o/cri-o: CVE-2022-27652 #426

Closed
GoVulnBot opened this issue Apr 18, 2022 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/cri-o/cri-o: CVE-2022-27652 #426

GoVulnBot opened this issue Apr 18, 2022 · 2 comments
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.

Comments

@GoVulnBot
Copy link

CVE-2022-27652 references github.com/cri-o/cri-o, which may be a Go module.

Description:
A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.

Links:

See doc/triage.md for instructions on how to triage this report.

module: github.com/cri-o/cri-o
package: cri-o
description: |
    A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
cves:
  - CVE-2022-27652
links:
    context:
      - https://bugzilla.redhat.com/show_bug.cgi?id=2066839
      - https://github.com/cri-o/cri-o/security/advisories/GHSA-4hj2-r2pm-3hc6
@neild neild closed this as completed Jun 15, 2022
@neild neild added excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. and removed NotGoVuln labels Aug 11, 2022
@GoVulnBot GoVulnBot mentioned this issue Jan 10, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Apr 26, 2024
Closed
@tatianab tatianab mentioned this issue Jun 7, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Jun 12, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592767 mentions this issue: data/reports: unexclude 50 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607218 mentions this issue: data/reports: unexclude 20 reports (16)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
@tatianab @gopherbot
data/reports: unexclude 20 reports (16)
e9d3f29 
  - data/reports/GO-2022-0407.yaml
  - data/reports/GO-2022-0410.yaml
  - data/reports/GO-2022-0413.yaml
  - data/reports/GO-2022-0416.yaml
  - data/reports/GO-2022-0418.yaml
  - data/reports/GO-2022-0424.yaml
  - data/reports/GO-2022-0426.yaml
  - data/reports/GO-2022-0429.yaml
  - data/reports/GO-2022-0440.yaml
  - data/reports/GO-2022-0442.yaml
  - data/reports/GO-2022-0447.yaml
  - data/reports/GO-2022-0448.yaml
  - data/reports/GO-2022-0449.yaml
  - data/reports/GO-2022-0450.yaml
  - data/reports/GO-2022-0451.yaml
  - data/reports/GO-2022-0452.yaml
  - data/reports/GO-2022-0453.yaml
  - data/reports/GO-2022-0454.yaml
  - data/reports/GO-2022-0455.yaml
  - data/reports/GO-2022-0456.yaml

Updates #407
Updates #410
Updates #413
Updates #416
Updates #418
Updates #424
Updates #426
Updates #429
Updates #440
Updates #442
Updates #447
Updates #448
Updates #449
Updates #450
Updates #451
Updates #452
Updates #453
Updates #454
Updates #455
Updates #456

Change-Id: I206c09343a83edd1fd9f1a37410a59391d904c6d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607218
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
@GoVulnBot GoVulnBot mentioned this issue Nov 26, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Jan 28, 2025
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@neild @gopherbot @GoVulnBot