CVE Vulnerability

CVE-2022-0358

A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system.

7.8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://access.redhat.com/security/cve/CVE-2022-0358 Third Party Advisory
https://gitlab.com/qemu-project/qemu/-/commit/449e8171f96a6a944d1f3b7d3627ae059eae21ca Patch Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2044863 Issue Tracking Patch
https://security.netapp.com/advisory/ntap-20221007-0008/ Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:advanced_virtualization:*:*:*
Information

Published : 2022-08-29 03:15

Updated : 2022-12-09 06:00

NVD link : CVE-2022-0358

Mitre link : CVE-2022-0358

Products Affected
No products.
CWE
CWE-273

Improper Check for Dropped Privileges