Miggo Logo

CVE-2022-2989: Podman's incorrect handling of the supplementary groups may lead to data disclosure, modification

7.1

CVSS Score
3.1

Basic Information

EPSS Score
0.10509%
Published
9/14/2022
Updated
2/13/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/containers/podman/v4go< 4.2.04.2.0
github.com/containers/podman/v3go< 3.0.13.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from incorrect group initialization where the container's primary GID wasn't added to supplementary groups. The fix in commit 5c7f283/d82a416 shows modifications to pkg/specgen/namespaces.go where the primary GID is explicitly added to the additional groups array. This aligns with the CWE-842 (Incorrect Group Assignment) description. The libpod/container_internal_linux.go changes indicate the primary GID handling was flawed in user namespace configuration. These functions directly control group membership initialization, and their failure to duplicate the primary GID in supplementary groups matches the vulnerability's technical description of allowing privilege escalation through group dropping.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n in*orr**t **n*lin* o* t** suppl*m*nt*ry *roups in t** Po*m*n *ont*in*r *n*in* mi**t l*** to t** s*nsitiv* in*orm*tion *is*losur* or possi*l* **t* mo*i*i**tion i* *n *tt**k*r **s *ir**t ****ss to t** *****t** *ont*in*r w**r* suppl*m*nt*ry *roups *r

Reasoning

T** vuln*r**ility st*ms *rom in*orr**t *roup initi*liz*tion w**r* t** *ont*in*r's prim*ry *I* w*sn't ***** to suppl*m*nt*ry *roups. T** *ix in *ommit *******/******* s*ows mo*i*i**tions to pk*/sp****n/n*m*sp***s.*o w**r* t** prim*ry *I* is *xpli*itly