Miggo Logo
Miggo Vulnerability Database
CVE-2022-2990

CVE-2022-2990: Buildah's incorrect handling of the supplementary groups may lead to data disclosure, modification

7.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-2990
GHSA ID
GHSA-fjm8-m7m6-2fjp
EPSS Score
0.29887%
CWE
CWE-842
Published
9/14/2022
Updated
2/9/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/containers/buildahgo< 1.27.11.27.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper handling of supplementary groups in container configuration. The commit diff shows the critical fix was adding 'g.AddProcessAdditionalGid(user.GID)' in configureUIDGID function. Prior to patch, when setting a specific UID:GID, the primary GID wasn't included in additional groups, breaking Linux's expected behavior where primary group should be duplicated in supplementary groups. This allowed setgid binaries to bypass access controls that relied on negative group permissions. The function's responsibility for UID/GID configuration and the explicit patch location confirm its vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n in*orr**t **n*lin* o* t** suppl*m*nt*ry *roups in t** *uil*** *ont*in*r *n*in* mi**t l*** to t** s*nsitiv* in*orm*tion *is*losur* or possi*l* **t* mo*i*i**tion i* *n *tt**k*r **s *ir**t ****ss to t** *****t** *ont*in*r w**r* suppl*m*nt*ry *roups *

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* suppl*m*nt*ry *roups in *ont*in*r *on*i*ur*tion. T** *ommit *i** s*ows t** *riti**l *ix w*s ***in* '*.***Pro**ss***ition*l*i*(us*r.*I*)' in *on*i*ur*UI**I* *un*tion. Prior to p*t**, w**n s*ttin* * sp*