Description
A flaw was found in crun where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
References (4)
Core 4
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=2066845
Third Party Advisory x_refsource_misc
https://github.com/containers/crun/security/advisories/GHSA-wr4f-w546-m398
Patch, Third Party Advisory x_refsource_misc
https://github.com/containers/crun/commit/1aeeed2e4fdeffb4875c0d0b439915894594c8c6
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYIGABCZ7ZHAG2XCOGITTQRJU2ASWMFA/
Scores
CVSS v3
7.5
EPSS
0.0015
EPSS Percentile
34.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-276
Status
published
Products (4)
crun_project/crun
< 1.4.4
fedoraproject/fedora
34
redhat/enterprise_linux
8.0
redhat/openshift_container_platform
4.0
Published
Apr 04, 2022
Tracked Since
Feb 18, 2026