Miggo Logo

CVE-2018-10856: Podman Elevated Container Privileges

8.8

CVSS Score
3.0

Basic Information

EPSS Score
0.36952%
Published
5/13/2022
Updated
9/16/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/containers/podmango< 0.6.10.6.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub patch shows critical modifications to the setupCapabilities function in pkg/spec/spec.go. The commit message explicitly states the need to 'clear all caps except the bounding set' when --user is specified, and the diff demonstrates the addition of logic to reset capabilities for non-root users. The CWE-732 (Incorrect Permission Assignment) directly maps to this capability retention issue. The added test case in run_test.go verifies capability dropping for non-root users, confirming this was the vulnerable code path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

It **s ***n *is*ov*r** t**t po*m*n ***or* v*rsion *.*.* *o*s not *rop **p**iliti*s w**n *x**utin* * *ont*in*r *s * non-root us*r. T*is r*sults in unn***ss*ry privil***s **in* *r*nt** to t** *ont*in*r.

Reasoning

T** *it*u* p*t** s*ows *riti**l mo*i*i**tions to t** `s*tup**p**iliti*s` *un*tion in `pk*/sp**/sp**.*o`. T** *ommit m*ss*** *xpli*itly st*t*s t** n*** to '*l**r *ll **ps *x**pt t** *oun*in* s*t' w**n --us*r is sp**i*i**, *n* t** *i** **monstr*t*s t**