{"containers": {"cna": {"affected": [{"product": "buildah", "vendor": "n/a", "versions": [{"status": "affected", "version": "Affects buildah v1.24.0 and prior, Fixed in - v1.25.0"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. This has the potential to impact confidentiality and integrity."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "CWE-276 - Incorrect Default Permissions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-07T06:06:35", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066840"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/containers/buildah/security/advisories/GHSA-c3g4-w6cv-6v7h"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/containers/buildah/commit/e7e55c988c05dd74005184ceb64f097a0cfe645b"}, {"name": "FEDORA-2022-224a93852c", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VWH6X6HOFPO6HTESF42HIJZEPXSWVIO/"}, {"name": "FEDORA-2022-e6388650ea", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7NETC7I6RTMMBRJJQVJOJUPDK4W4PQSJ/"}, {"name": "FEDORA-2022-1a15fe81f0", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25YI27MENCEPZTTGRVU6BQD5V53FNI52/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2022-27651", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "buildah", "version": {"version_data": [{"version_value": "Affects buildah v1.24.0 and prior, Fixed in - v1.25.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. This has the potential to impact confidentiality and integrity."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-276 - Incorrect Default Permissions"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=2066840", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066840"}, {"name": "https://github.com/containers/buildah/security/advisories/GHSA-c3g4-w6cv-6v7h", "refsource": "MISC", "url": "https://github.com/containers/buildah/security/advisories/GHSA-c3g4-w6cv-6v7h"}, {"name": "https://github.com/containers/buildah/commit/e7e55c988c05dd74005184ceb64f097a0cfe645b", "refsource": "MISC", "url": "https://github.com/containers/buildah/commit/e7e55c988c05dd74005184ceb64f097a0cfe645b"}, {"name": "FEDORA-2022-224a93852c", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VWH6X6HOFPO6HTESF42HIJZEPXSWVIO/"}, {"name": "FEDORA-2022-e6388650ea", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NETC7I6RTMMBRJJQVJOJUPDK4W4PQSJ/"}, {"name": "FEDORA-2022-1a15fe81f0", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/25YI27MENCEPZTTGRVU6BQD5V53FNI52/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:32:59.789Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066840"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/containers/buildah/security/advisories/GHSA-c3g4-w6cv-6v7h"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/containers/buildah/commit/e7e55c988c05dd74005184ceb64f097a0cfe645b"}, {"name": "FEDORA-2022-224a93852c", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VWH6X6HOFPO6HTESF42HIJZEPXSWVIO/"}, {"name": "FEDORA-2022-e6388650ea", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7NETC7I6RTMMBRJJQVJOJUPDK4W4PQSJ/"}, {"name": "FEDORA-2022-1a15fe81f0", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25YI27MENCEPZTTGRVU6BQD5V53FNI52/"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2022-27651", "datePublished": "2022-04-04T19:45:44", "dateReserved": "2022-03-22T00:00:00", "dateUpdated": "2024-08-03T05:32:59.789Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*", "matchCriteriaId": "4131BE2A-9EA3-46B8-B99B-DFE8B4221497", "versionEndExcluding": "1.25.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. This has the potential to impact confidentiality and integrity."}, {"lang": "es", "value": "Se ha encontrado un fallo en buildah por el que los contenedores eran iniciados incorrectamente con permisos por defecto no vac\u00edos. Se ha encontrado un bug en Moby (Docker Engine) donde los contenedores eran iniciados incorrectamente con capacidades de proceso Linux heredables no vac\u00edas, permitiendo a un atacante con acceso a programas con capacidades de archivo heredables elevar esas capacidades al conjunto permitido cuando execve(2) se ejecuta. Esto presenta el potencial de afectar la confidencialidad e integridad"}], "id": "CVE-2022-27651", "lastModified": "2023-11-07T03:45:22.527", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-04-04T20:15:10.990", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066840"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/containers/buildah/commit/e7e55c988c05dd74005184ceb64f097a0cfe645b"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://github.com/containers/buildah/security/advisories/GHSA-c3g4-w6cv-6v7h"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25YI27MENCEPZTTGRVU6BQD5V53FNI52/"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VWH6X6HOFPO6HTESF42HIJZEPXSWVIO/"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7NETC7I6RTMMBRJJQVJOJUPDK4W4PQSJ/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-276"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2022:1565", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "container-tools:3.0-8050020220411083214.e34216c9", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-04-26T00:00:00Z"}, {"advisory": "RHSA-2022:1566", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "container-tools:2.0-8050020220411114323.e34216c9", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-04-26T00:00:00Z"}, {"advisory": "RHSA-2022:1762", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "container-tools:rhel8-8060020220401155929.2e213529", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-05-10T00:00:00Z"}, {"advisory": "RHSA-2022:4651", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "container-tools:2.0-8020020220420173758.28c38760", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2022-05-18T00:00:00Z"}, {"advisory": "RHSA-2022:1407", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "container-tools:2.0-8040020220411112506.c0c392d5", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-04-19T00:00:00Z"}, {"advisory": "RHSA-2022:4816", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "container-tools:3.0-8040020220419093313.c0c392d5", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-05-31T00:00:00Z"}], "bugzilla": {"description": "buildah: Default inheritable capabilities for linux container should be empty", "id": "2066840", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066840"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-276", "details": ["A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. This has the potential to impact confidentiality and integrity.", "A flaw was found in buildah, where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs."], "mitigation": {"lang": "en:us", "value": "The entry point of a container can be modified to use a utility like capsh(1) to drop inheritable capabilities prior to the primary process starting."}, "name": "CVE-2022-27651", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:4.0/buildah", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "buildah", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2022-03-30T12:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-27651\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-27651\nhttps://github.com/containers/buildah/security/advisories/GHSA-c3g4-w6cv-6v7h"], "statement": "This issue is related to the general vulnerability found in Moby (Docker Engine), which has been assigned CVE-2022-24769.\nThe impact for OpenShift Container Platform is set to LOW as Buildah was shipped but is not being used. No update is planned at this time.", "threat_severity": "Moderate", "upstream_fix": "buildah 1.25.0"}