It is possible to craft an environment variable with newlines to add entries to a container's /etc/passwd. It is possible to circumvent admission validation of username/UID by adding such an entry.
Note: because the pod author is in control of the container's /etc/passwd, this is not considered a new risk factor. However, this advisory is being opened for transparency and as a way of tracking fixes.
1.26.0 will have the fix. More patches will be posted as they're available.
Additional security controls like SELinux should prevent any damage a container is able to do with root on the host. Using SELinux is recommended because this class of attack is already possible by manually editing the container's /etc/passwd
| Score | Percentile |
|---|---|
| 0.04% | 12.63% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 6.1 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-cm9x-c3rh-7rc4 ↗ |
| CVE | CVE-2022-4318 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | github.com/cri-o/cri-o | < 1.26.0 | 1.26.0 | — |