7.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-2995

GHSA ID

GHSA-phjr-8j92-w5v7

EPSS Score

0.06253%

CWE

CWE-284

Published

9/20/2022

Updated

1/31/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-2995

CVE-2022-2995: CRI-O incorrect handling of supplementary groups may lead to sensitive information disclosure

Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-2995

CVE-2022-2995:

7.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-2995

GHSA ID

GHSA-phjr-8j92-w5v7

EPSS Score

0.06253%

CWE

CWE-284

Published

9/20/2022

Updated

1/31/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/cri-o/cri-o	go	< 1.25.0	1.25.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from incorrect supplementary group handling in CRI-O's container initialization. The patch shows critical changes in setupContainerUser where: 1) GID assignment was moved after RunAsGroup check, and 2) AddProcessAdditionalGid(gid) was added. This indicates the original code didn't include the primary GID in supplementary groups when RunAsGroup was used, violating Linux's expectation that the primary group is duplicated in supplementary groups. The CWE-284/732 mapping and added test case validating supplementary groups confirm this was the vulnerable flow.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-2995: CRI-O incorrect handling of supplementary groups may lead to sensitive information disclosure

CVE-2022-2995:

7.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-2995: CRI-O incorrect handling of supplementary groups may lead to sensitive information disclosure

7.1

7.1

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI