OpenCVE

A vulnerability was found in buildah. Incorrect following of symlinks while reading .containerignore and .dockerignore results in information disclosure.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fedoraproject	Fedora
Podman Project	Podman
Redhat	Enterprise Linux Rhel Eus

Configuration 1 [-]

cpe:2.3:a:podman_project:podman:4.3.0:-:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:35:::::::*
	cpe:2.3:o:fedoraproject:fedora:36:::::::*
	cpe:2.3:o:fedoraproject:fedora:37:::::::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8.8 Extended Update Support
container-tools:rhel8-8080020240422101606.0f77c1b7	cpe:/a:redhat:rhel_eus:8.8	RHSA-2024:2077	2024-04-29T00:00:00Z
Red Hat Enterprise Linux 9
podman-2:5.2.2-1.el9	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:9102	2024-11-12T00:00:00Z

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=2144983
https://github.com/containers/podman/pull/16315
https://nvd.nist.gov/vuln/detail/CVE-2022-4122
https://www.cve.org/CVERecord?id=CVE-2022-4122

History

Wed, 13 Nov 2024 02:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:9
Vendors & Products		Redhat enterprise Linux

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2022-12-08T00:00:00

Updated: 2024-08-03T01:27:54.545Z

Reserved: 2022-11-22T00:00:00

Link: CVE-2022-4122

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-12-08T16:15:14.870

Modified: 2024-11-21T07:34:37.210

Link: CVE-2022-4122

Redhat

Severity : Moderate

Publid Date: 2022-11-22T00:00:00Z

Links: CVE-2022-4122 - Bugzilla

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:podman_project:podman:4.3.0:-:*:*:*:*:*:*", "matchCriteriaId": "A2900852-3170-4AF7-828E-6445C78AC802", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in buildah. Incorrect following of symlinks while reading .containerignore and .dockerignore results in information disclosure."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en buildah. El seguimiento incorrecto de enlaces simb\u00f3licos al leer .containerignore y .dockerignore da como resultado la divulgaci\u00f3n de informaci\u00f3n."}], "id": "CVE-2022-4122", "lastModified": "2024-11-21T07:34:37.210", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-08T16:15:14.870", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144983"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/containers/podman/pull/16315"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144983"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/containers/podman/pull/16315"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:2077", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "container-tools:rhel8-8080020240422101606.0f77c1b7", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-04-29T00:00:00Z"}, {"advisory": "RHSA-2024:9102", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "podman-2:5.2.2-1.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}], "bugzilla": {"description": "podman: Symlink error leads to information disclosure", "id": "2144983", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144983"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-59", "details": ["A vulnerability was found in buildah. Incorrect following of symlinks while reading .containerignore and .dockerignore results in information disclosure.", "A vulnerability was found in buildah and podman. Incorrect following of symlinks while reading .containerignore and .dockerignore results in information disclosure."], "name": "CVE-2022-4122", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "podman", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "container-tools:3.0/podman", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "container-tools:4.0/podman", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "container-tools:rhel8/podman", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Under investigation", "package_name": "podman", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "buildah", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Under investigation", "package_name": "podman", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2022-11-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-4122\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-4122\nhttps://github.com/containers/podman/pull/16315"], "statement": "These bugs come about when \"podman --remote build ...\" is run, thus affecting buildah, but the bug itself needs to be fixed in podman, and ported to Buildah.", "threat_severity": "Moderate"}