Miggo Logo
Miggo Vulnerability Database
CVE-2022-2995

CVE-2022-2995: CRI-O incorrect handling of supplementary groups may lead to sensitive information disclosure

7.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-2995
GHSA ID
GHSA-phjr-8j92-w5v7
EPSS Score
0.06253%
CWE
CWE-284
Published
9/20/2022
Updated
1/31/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/cri-o/cri-ogo< 1.25.01.25.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from incorrect supplementary group handling in CRI-O's container initialization. The patch shows critical changes in setupContainerUser where: 1) GID assignment was moved after RunAsGroup check, and 2) AddProcessAdditionalGid(gid) was added. This indicates the original code didn't include the primary GID in supplementary groups when RunAsGroup was used, violating Linux's expectation that the primary group is duplicated in supplementary groups. The CWE-284/732 mapping and added test case validating supplementary groups confirm this was the vulnerable flow.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In*orr**t **n*lin* o* t** suppl*m*nt*ry *roups in t** *RI-O *ont*in*r *n*in* mi**t l*** to s*nsitiv* in*orm*tion *is*losur* or possi*l* **t* mo*i*i**tion i* *n *tt**k*r **s *ir**t ****ss to t** *****t** *ont*in*r w**r* suppl*m*nt*ry *roups *r* us** t

Reasoning

T** vuln*r**ility st*ms *rom in*orr**t suppl*m*nt*ry *roup **n*lin* in *RI-O's *ont*in*r initi*liz*tion. T** p*t** s*ows *riti**l ***n**s in s*tup*ont*in*rUs*r w**r*: *) *I* *ssi*nm*nt w*s mov** **t*r Run*s*roup ****k, *n* *) ***Pro**ss***ition*l*i*(