CVE-2022-1706
MEDIUMIgnition < 2.14.0 - Unauthenticated Information Disclosure via VMware VM Container Access
Title source: llmDescription
A vulnerability was found in Ignition where ignition configs are accessible from unprivileged containers in VMs running on VMware products. This issue is only relevant in user environments where the Ignition config contains secrets. The highest threat from this vulnerability is to data confidentiality. Possible workaround is to not put secrets in the Ignition config.
References (8)
Core 8
Core References
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NP765L7TJI7CD4XVOHUWZVRYRH3FYBOR/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LY7LKGMQMXV6DGD263YQHNSLOJJ5VLV5/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5QQXRGQKTN4YX2ZF3GQNEBDEOKJGCN3/
Issue Tracking, Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2082274
Patch, Third Party Advisory
https://github.com/coreos/ignition/commit/4b70b44b430ecf8377a276e89b5acd3a6957d4ea
Third Party Advisory
https://github.com/coreos/ignition/issues/1300
Third Party Advisory
https://github.com/coreos/ignition/issues/1315
Third Party Advisory
https://github.com/coreos/ignition/pull/1350
Scores
CVSS v3
6.5
EPSS
0.0059
EPSS Percentile
69.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-863
Status
published
Products (7)
coreos/ignition
0 - 2.14.0 (2 CPE variants)Go
fedoraproject/fedora
34
fedoraproject/fedora
35
fedoraproject/fedora
36
redhat/enterprise_linux
9.0
redhat/ignition
< 2.14.0
redhat/openshift_container_platform
4.0
Published
May 17, 2022
Tracked Since
Feb 18, 2026