CRI-O
- < 1.25
A vulnerability exists in CRI-O due to an incorrect fix for a previous issue (CVE-2022-4318), allowing the vulnerability to be bypassed. An attacker who can set environment variables in a container can inject a newline character into the HOME variable. This injection enables the addition of arbitrary lines to the /etc/passwd file by using a specially crafted environment variable. The vulnerability is present in CRI-O versions prior to 1.26.0.
Exploitation of this vulnerability allows for arbitrary line injection into the /etc/passwd file of the affected container. This could lead to privilege escalation within the container.
To reproduce this vulnerability, set a newline-injected HOME environment variable on a container. The injected newline will bypass the incorrect validation implemented in response to CVE-2022-4318, allowing unsanitized data to be processed and injected into the /etc/passwd file.
Users can upgrade to CRI-O versions 1.26.0 or later, where this vulnerability has been fixed.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.