CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-29162 – Incorrect Default Permissions in runc
https://notcve.org/view.php?id=CVE-2022-29162
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. • https://github.com/opencontainers/runc/commit/d04de3a9b72d7a2455c1885fc75eb36d02cd17b5 https://github.com/opencontainers/runc/releases/tag/v1.1.2 https://github.com/opencontainers/runc/security/advisories/GHSA-f3fp-gc8g-vw66 https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVPZBV7ISA7QKRPTC7ZXWKMIQI2HZEBB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D77CKD3AXPMU4PMQIQI5Q74SI4JATNND • CWE-276: Incorrect Default Permissions •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2022-24778 – Incorrect Authorization in imgcrypt
https://notcve.org/view.php?id=CVE-2022-24778
The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuthorization` is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. • https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9 https://github.com/containerd/imgcrypt/issues/69 https://github.com/containerd/imgcrypt/releases/tag/v1.1.4 https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4SJUNSC7YZLA745EMKWK2GKEV57GE52K https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAHAAOOA3KZJC2I5WHCR3XVBJBNWTWUE https://lists.fe • CWE-303: Incorrect Implementation of Authentication Algorithm CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24777 – Denial of Service via reachable assertion in grpc-swift
https://notcve.org/view.php?id=CVE-2022-24777
grpc-swift is the Swift language implementation of gRPC, a remote procedure call (RPC) framework. Prior to version 1.7.2, a grpc-swift server is vulnerable to a denial of service attack via a reachable assertion. This is due to incorrect logic when handling GOAWAY frames. The attack is low-effort: it takes very little resources to construct and send the required sequence of frames. The impact on availability is high as the server will crash, dropping all in flight connections and requests. • https://github.com/grpc/grpc-swift/commit/858f977f2a51fca2292f384cf7a108dc2e73a3bd https://github.com/grpc/grpc-swift/security/advisories/GHSA-r6ww-5963-7r95 • CWE-617: Reachable Assertion •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 1CVE-2022-1025 – Openshift-Gitops: Improper access control allows admin privilege escalation
https://notcve.org/view.php?id=CVE-2022-1025
All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level. Todas las versiones sin parchear de Argo CD a partir de la v1.0.0 son vulnerables a un error de control de acceso inapropiado, que permite a un usuario malicioso escalar potencialmente sus privilegios a nivel de administrador A privilege escalation flaw was found in ArgoCD. This flaw allows a malicious user who has push access to an application's source git or Helm repository, or sync and override access, to perform actions they are not authorized to do. For example, if the attacker has `update` or `delete` access, they can modify or delete any resource on the destination cluster and escalate ArgoCD privileges to the admin level. If the attacker has `get` access, they can view and list actions for any resource on the destination cluster except secrets and view the logs of any pods on the destination cluster. • https://github.com/argoproj/argo-cd/security/advisories/GHSA-2f5v-8r3f-8pww https://access.redhat.com/security/cve/CVE-2022-1025 https://bugzilla.redhat.com/show_bug.cgi?id=2064682 • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 5.9EPSS: 0%CPEs: 7EXPL: 0CVE-2022-24769 – Default inheritable capabilities for linux container should be empty
https://notcve.org/view.php?id=CVE-2022-24769
Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. • http://www.openwall.com/lists/oss-security/2022/05/12/1 https://github.com/moby/moby/commit/2bbc786e4c59761d722d2d1518cd0a32829bc07f https://github.com/moby/moby/releases/tag/v20.10.14 https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvq https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PMQKCAPK2AR3DCYITJYMMNBEGQBGLCC https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5AFKOQ5CE3CEIULWW4FLQKHFFU6FSYG https://lists.fedo • CWE-276: Incorrect Default Permissions CWE-732: Incorrect Permission Assignment for Critical Resource •