[GHSA-rc4r-wh2q-q6c4] Update CVSS 3.x AV from Network (N) to Local (L)

[anonymous-nlp-student]

The CVE-2022-36109 / GHSA-rc4r-wh2q-q6c4 highlights a vulnerability where an attacker could access sensitive information or execute code by exploiting supplementary group access within a containerized environment.

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. (Excerpt of CVE-2022-36109 Description)

Why the Attack Vector Should Be Local

The vulnerability explicitly states that the attacker requires “direct access to a container” to manipulate supplementary group access. This means the attacker must already have local access to the container environment, such as through a terminal session, SSH connection, or other direct interaction mechanisms. According to the CVSS 3.x specification, this matches the criteria for an Attack Vector = Local, where exploitation occurs through direct interaction with the vulnerable system rather than remotely.

Why the Attack Vector Should Not Be Network

This vulnerability is independent of the network stack and does not rely on any remote protocol-level exploitability. It is not triggered by sending malicious packets or interacting with network services. Instead, the issue stems from improper handling of supplementary groups within the container. The CVSS 3.x specification defines Attack Vector = Network for cases where exploitation occurs across one or more network hops, typically involving remote attacks. That is not applicable here.

The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol leve l one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service (DoS) by sending a specially crafted TCP packet across a wide area network (e.g., CVE‑2004‑0230). (Excerpt of AV = N Definition)

Supporting Examples

Similar vulnerabilities categorized with Attack Vector = Local include:

• CVE-2022-2989 / GHSA-4wjj-jwc9-2x96 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)

An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.

• CVE-2022-2990 / GHSA-fjm8-m7m6-2fjp (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)

An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.

• CVE-2022-2995 / GHSA-phjr-8j92-w5v7 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)

Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.

• CVE-2023-25173 / GHSA-hmfx-3pcx-653p (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

A bug was found in containerd where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container.

[shelbyc]

Hi @anonymous-nlp-student, after reading https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/ and examining the records of CVE-2022-2989, CVE-2022-2990, and CVE-2022-2995, I agree with you and will change the CVSSv3 for CVE-2022-36109 from CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L to CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L in the CVE record and the global advisory. Thanks for your contribution and have a good weekend.

[advisory-database]

Hi @anonymous-nlp-student! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!