CVE-2022-27651 — Incorrect default permissions in github.com/containers/buildah

Description

A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. This has the potential to impact confidentiality and integrity.

How to fix CVE-2022-27651

To remediate CVE-2022-27651, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 1.25.0 or later
—upgrade to 1.25.0 or later

Is CVE-2022-27651 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0
from 0, < 1.25.0
from 0, < 1.25.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.8	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-27651
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-27651
PATCHgithub.com/containers/buildah
WEBbugzilla.redhat.com/show_bug.cgi?id=2066840
WEB