CVE-2022-2990
CVE-2022-2990 is a high-severity vulnerability in Redhat Openshift Container Platform with a CVSS 3.x base score of 7.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-842.
Key facts
- Severity: High (CVSS 3.x base score 7.1)
- EPSS exploit prediction: 0% (25th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-842
- Affected product: Redhat Openshift Container Platform
- Published:
- Last modified:
Description
An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
Frequently asked questions
- What is CVE-2022-2990?
- An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
- How severe is CVE-2022-2990?
- CVE-2022-2990 has a CVSS 3.x base score of 7.1, rated high severity. It is exploitable over local access with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2022-2990 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (25th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-2990?
- CVE-2022-2990 primarily affects Redhat Openshift Container Platform. In total, 5 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-2990?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2022-2990 published?
- CVE-2022-2990 was published on 2022-09-13 and last updated on 2026-06-17.
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2121453
- https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
Affected products (5)
- cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
More vulnerabilities in Redhat Openshift Container Platform
- CVE-2022-4361 — Critical (CVSS 10.0): Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the…
- CVE-2019-7609 — Critical (CVSS 10.0): Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An…
- CVE-2018-14721 — Critical (CVSS 10.0): FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF)…
- CVE-2019-1003034 — Critical (CVSS 9.9): A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 and earlier in…
- CVE-2019-1003031 — Critical (CVSS 9.9): A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin 1.13 and earlier in pom.xml,…
- CVE-2019-1003030 — Critical (CVSS 9.9): A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml,…
All CVEs affecting Redhat Openshift Container Platform →
Other CWE-842 vulnerabilities
- CVE-2024-9412 — High (CVSS 8.4): An improper authorization vulnerability exists in the Rockwell Automation affected products that could allow an…
- CVE-2022-3650 — High (CVSS 7.8): A privilege escalation flaw was found in Ceph. Ceph-crash.service allows a local attacker to escalate privileges to…
- CVE-2026-6970 — High (CVSS 7.3): authd prior to version 0.6.4 contains a logic error in primary group ID assignment that can lead to local privilege…
- CVE-2022-2989 — High (CVSS 7.1): An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive…
- CVE-2022-45097 — Medium (CVSS 6.3): Dell PowerScale OneFS 9.0.0.x-9.4.0.x contains an Incorrect User Management vulnerability. A low privileged network…
- CVE-2022-31007 — Medium (CVSS 4.9): eLabFTW is an electronic lab notebook manager for research teams. Prior to version 4.3.0, a vulnerability allows an…