CVE-2022-2739 - Vulnerability Details - OpenCVE

The version of podman as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 advisory included an incorrect version of podman missing the fix for CVE-2020-14370, which was previously fixed via RHSA-2020:5056. This issue could possibly allow an attacker to gain access to sensitive information stored in environment variables.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00082.

Key SSVC decision points have not yet been added.

Vendors	Products
Podman Project	Podman
Redhat	Enterprise Linux Server Enterprise Linux Workstation Rhel Extras Other

Configuration 1 [-]

OR	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*

Configuration 2 [-]

cpe:2.3:a:podman_project:podman:1.6.4-32.el7_9:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7 Extras
podman-0:1.6.4-36.el7_9	cpe:/a:redhat:rhel_extras_other:7	RHSA-2022:6119	2022-08-22T00:00:00Z

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2022-2739
https://bugzilla.redhat.com/show_bug.cgi?id=2116927
https://nvd.nist.gov/vuln/detail/CVE-2022-2739
https://www.cve.org/CVERecord?id=CVE-2022-2739

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2022-09-01T20:51:02

Updated: 2024-08-03T00:46:04.095Z

Reserved: 2022-08-09T00:00:00

Link: CVE-2022-2739

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-09-01T21:15:09.753

Modified: 2024-11-21T07:01:36.847

Link: CVE-2022-2739

Redhat

Severity : Moderate

Publid Date: 2022-08-19T00:00:00Z

Links: CVE-2022-2739 - Bugzilla

OpenCVE Enrichment

No data.

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "825ECE2D-E232-46E0-A047-074B34DB1E97", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:podman_project:podman:1.6.4-32.el7_9:*:*:*:*:*:*:*", "matchCriteriaId": "341CA287-E1F2-41B1-AB2E-E77794909734", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The version of podman as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 advisory included an incorrect version of podman missing the fix for CVE-2020-14370, which was previously fixed via RHSA-2020:5056. This issue could possibly allow an attacker to gain access to sensitive information stored in environment variables."}, {"lang": "es", "value": "La versi\u00f3n de podman publicada para Red Hat Enterprise Linux 7 Extras por medio del aviso RHSA-2022:2190 inclu\u00eda una versi\u00f3n incorrecta de podman que carec\u00eda de la correcci\u00f3n de CVE-2020-14370, que se hab\u00eda corregido previamente por medio de RHSA-2020:5056. Este problema podr\u00eda permitir a un atacante acceder a informaci\u00f3n confidencial almacenada en variables de entorno"}], "id": "CVE-2022-2739", "lastModified": "2024-11-21T07:01:36.847", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-01T21:15:09.753", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2022-2739"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116927"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2022-2739"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116927"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-312"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:6119", "cpe": "cpe:/a:redhat:rhel_extras_other:7", "package": "podman-0:1.6.4-36.el7_9", "product_name": "Red Hat Enterprise Linux 7 Extras", "release_date": "2022-08-22T00:00:00Z"}], "bugzilla": {"description": "podman: Security regression of CVE-2020-14370 due to source code management issue", "id": "2116927", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116927"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-312", "details": ["The version of podman as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 advisory included an incorrect version of podman missing the fix for CVE-2020-14370, which was previously fixed via RHSA-2020:5056. This issue could possibly allow an attacker to gain access to sensitive information stored in environment variables.", "The version of podman as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 advisory included an incorrect version of podman missing the fix for CVE-2020-14370, which was previously fixed via RHSA-2020:5056. This issue could possibly allow an attacker to gain access to sensitive information stored in environment variables."], "name": "CVE-2022-2739", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:3.0/podman", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:4.0/podman", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:rhel8/podman", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "podman", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2022-08-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-2739\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-2739"], "statement": "This issue only affects a single version of podman, 1.6.4-32.el7_9, shipped in Red Hat Enterprise Linux 7 Extras. Both earlier and later versions are not affected.", "threat_severity": "Moderate"}