5.9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-29162

GHSA ID

GHSA-f3fp-gc8g-vw66

EPSS Score

0.34376%

CWE

CWE-276

Published

5/24/2022

Updated

3/27/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-29162

CVE-2022-29162: Default inheritable capabilities for linux container should be empty

Impact

A bug was found in runc where runc exec --cap executed processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2).

This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set.

Patches

This bug has been fixed in runc 1.1.2. Users should update to this version as soon as possible.

This fix changes runc exec --cap behavior such that the additional capabilities granted to the process being executed (as specified via --cap arguments) do not include inheritable capabilities.

In addition, runc spec is changed to not set any inheritable capabilities in the created example OCI spec (config.json) file.

Credits

The opencontainers project would like to thank Andrew G. Morgan for responsibly disclosing this issue in accordance with the opencontainers org security policy.

For more information

If you have any questions or comments about this advisory:

Open an issue
Email us at security@opencontainers.org if you think you’ve found a security bug

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-29162

CVE-2022-29162:

5.9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-29162

GHSA ID

GHSA-f3fp-gc8g-vw66

EPSS Score

0.34376%

CWE

CWE-276

Published

5/24/2022

Updated

3/27/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/opencontainers/runc	go	< 1.1.2	1.1.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how runc exec --cap handled capability assignment. The commit diff shows the removal of a line in exec.go that added --cap-specified capabilities to the Inheritable set. This directly matches the CVE description of the flaw. The getProcess function in exec.go was responsible for this incorrect capability propagation. The high confidence comes from the explicit patch removing the vulnerable line and the CVE's technical details aligning with this code change.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.9

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-29162: Default inheritable capabilities for linux container should be empty

Impact

Patches

Credits

For more information

CVE-2022-29162:

5.9

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

5.9

5.9

CVE-2022-29162: Default inheritable capabilities for linux container should be empty

Impact

Patches

Credits

For more information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI