Incorrect Default Permissions
CVE-2022-27652
Summary
A flaw was found in cri-o prior to 1.24.0, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
- LOW
- LOCAL
- LOW
- UNCHANGED
- NONE
- LOW
- LOW
- LOW
CWE-276 - Incorrect Default Permissions
During installation, installed file permissions are set to allow anyone to modify those files.
References
Advisory Timeline
- Published