CVE-2022-25328 — Command injection in github.com/google/fscrypt

Description

The bash_completion script for fscrypt allows injection of commands via crafted mountpoint paths, allowing privilege escalation under a specific set of circumstances. A local user who has control over mountpoint paths could potentially escalate their privileges if they create a malicious mountpoint path and if the system administrator happens to be using the fscrypt bash completion script to complete mountpoint paths. We recommend upgrading to version 0.3.3 or above

How to fix CVE-2022-25328

To remediate CVE-2022-25328, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 0.3.3 or later

Is CVE-2022-25328 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 0.3.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.0	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-25328
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-25328
WEBgithub.com/google/fscrypt
WEBgithub.com/google/fscrypt/pull/346