Miggo Logo
Miggo Vulnerability Database
CVE-2022-29526

CVE-2022-29526: golang.org/x/sys/unix has Incorrect privilege reporting in syscall

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-29526
GHSA ID
GHSA-p782-xgp4-8hr8
EPSS Score
0.36309%
CWE
CWE-269
Published
6/24/2022
Updated
5/20/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
golang.org/x/sysgo< 0.0.0-20220412211240-33da011f77ad0.0.0-20220412211240-33da011f77ad

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub issue #52313 explicitly identifies a logic error in syscall.Faccessat's group membership check where it uses the process's gid instead of the file's st.Gid. This matches CVE-2022-29526's description of incorrect privilege reporting when flags parameter is non-zero. Both the standard library syscall and golang.org/x/sys/unix implementations are affected as they share the vulnerable code path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*o ***or* *.**.** *n* *.**.x ***or* *.**.* **s In*orr**t Privil*** R*portin* in sys**ll. W**n **ll** wit* * non-z*ro *l**s p*r*m*t*r, t** *****ss*t *un*tion *oul* in*orr**tly r*port t**t * *il* is ****ssi*l*. ### Sp**i*i* *o P**k***s *****t** *ol*n*

Reasoning

T** *it*u* issu* #***** *xpli*itly i**nti*i*s * lo*i* *rror in `sys**ll.*****ss*t`'s *roup m*m**rs*ip ****k w**r* it us*s t** `pro**ss`'s *i* inst*** o* t** *il*'s `st.*i*`. T*is m*t***s `*V*-****-*****`'s **s*ription o* in*orr**t privil*** r*portin*