Cri-O: Arbitrary /etc/passwd Injection via Crafted ENV Variable
CVE-2022-4318 Published on September 25, 2023
Cri-o: /etc/passwd tampering privesc
A vulnerability was found in cri-o. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.
Vulnerability Analysis
CVE-2022-4318 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Timeline
Reported to Red Hat.
Made public.
Weakness Type
Insertion of Sensitive Information into Externally-Accessible File or Directory
The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
Products Associated with CVE-2022-4318
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-4318 are published in these products:
Affected Versions
Red Hat OpenShift Container Platform 4.11:- Version 0:1.24.4-10.rhaos4.11.git1ed5ac5.el8 and below * is unaffected.
- Version 0:1.25.2-9.rhaos4.12.git0a083f9.el9 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.