Miggo Logo
Miggo Vulnerability Database
CVE-2022-27651

CVE-2022-27651: Non-empty default inheritable capabilities for linux container in Buildah

6.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-27651
GHSA ID
GHSA-c3g4-w6cv-6v7h
EPSS Score
0.2861%
CWE
CWE-276
Published
4/1/2022
Updated
2/14/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/containers/buildahgo< 1.25.01.25.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper handling of Linux capabilities in two key areas:

  1. In chroot/run.go, setCapabilities() populated inheritable capabilities from the spec rather than enforcing an empty default.
  2. In run_linux.go, setupCapAdd()/setupCapDrop() directly manipulated inheritable capabilities when adding/dropping privileges. The fix in commit e7e55c9 explicitly sets inheritable to empty in setCapabilities and removes inheritable capability modifications from setupCapAdd/setupCapDrop, confirming these functions' involvement. The Go vulnerability report (GO-2022-0417) and CVE description both align with these being the vulnerable code paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *u* w*s *oun* in *uil*** w**r* *ont*in*rs w*r* *r**t** wit* non-*mpty in**rit**l* Linux pro**ss **p**iliti*s, *r**tin* *n *typi**l Linux *nvironm*nt *n* *n**lin* pro*r*ms wit* in**rit**l* *il* **p**iliti*s to *l*v*t* t*os* **p**iliti*s to t** p*rmi

Reasoning

T** vuln*r**ility st*mm** *rom improp*r **n*lin* o* Linux **p**iliti*s in two k*y *r**s: *. In **root/run.*o, s*t**p**iliti*s() popul*t** in**rit**l* **p**iliti*s *rom t** sp** r*t**r t**n *n*or*in* *n *mpty ****ult. *. In run_linux.*o, s*tup**p***()