CVE-2022-1227

Published: April 29, 2022Last modified: November 8, 2023

Description

A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential victim, the vulnerability is triggered after a user runs the 'podman top' command. This action gives the attacker access to the host filesystem, leading to information disclosure or denial of service.

Severity score breakdown

Parameter	Value
Base score	8.8
Attack Vector	NETWORK
Attack complexity	LOW
Privileges required	NONE
User interaction	REQUIRED
Scope	UNCHANGED
Confidentiality	HIGH
Integrity impact	HIGH
Availability impact	HIGH
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Status

Product	Release	Package	Status
Alpaquita Linux	23 LTS	podman	Not affected (4.3.1-r4)
Alpaquita Linux	Stream	podman	Not affected (4.6.2-r0)

References

https://bugzilla.redhat.com/show_bug.cgi?id=2070368
https://github.com/containers/podman/issues/10941
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/
https://security.netapp.com/advisory/ntap-20240628-0001/