Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-3787

Опубликовано: 07 нояб. 2022
Источник: redhat
CVSS3: 8.4
EPSS Низкий

Описание

A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, exploited alone or in conjunction with CVE-2022-41973. Local users that are able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This issue occurs because an attacker can repeat a keyword, which is mishandled when arithmetic ADD is used instead of bitwise OR. This could lead to local privilege escalation to root.

Отчет

This issue only affected Red Hat Enterprise Linux 8.7 and Red Hat Enterprise Linux 9.1, which introduced this regression via the following errata: https://access.redhat.com/errata/RHBA-2022:7714 (Red Hat Enterprise Linux 8.7) https://access.redhat.com/errata/RHBA-2022:8313 (Red Hat Enterprise Linux 9.1) These errata provided updates for device-mapper-multipath packages, but did not include fixes for CVE-2022-41974. This issue did not affect Red Hat Enterprise Linux 8.6 or earlier, and Red Hat Enterprise Linux 9.0, as previously released fixes for CVE-2022-41974 were not regressed in those versions. For more details about the original security issue CVE-2022-41974, refer to the CVE page: https://access.redhat.com/security/cve/CVE-2022-41974.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6device-mapper-multipathNot affected
Red Hat Enterprise Linux 7device-mapper-multipathNot affected
Red Hat Virtualization 4redhat-virtualization-hostNot affected
Red Hat Enterprise Linux 8device-mapper-multipathFixedRHSA-2022:792814.11.2022
Red Hat Enterprise Linux 9device-mapper-multipathFixedRHSA-2022:845315.11.2022

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-285
https://bugzilla.redhat.com/show_bug.cgi?id=2138959device-mapper-multipath: Regression of CVE-2022-41974 fix in Red Hat Enterprise Linux

EPSS

Процентиль: 0%
0.00008
Низкий

8.4 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2022-3787

CVSS3: 7.8
nvd
больше 2 лет назад

A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, exploited alone or in conjunction with CVE-2022-41973. Local users that are able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This issue occurs because an attacker can repeat a keyword, which is mishandled when arithmetic ADD is used instead of bitwise OR. This could lead to local privilege escalation to root.

rocky логотип

RLSA-2022:8453

rocky
больше 2 лет назад

Important: device-mapper-multipath security update

rocky логотип

RLSA-2022:7928

rocky
больше 2 лет назад

Important: device-mapper-multipath security update

github логотип

GHSA-m46g-8pc6-m8q7

CVSS3: 7.8
github
больше 2 лет назад

A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, exploited alone or in conjunction with CVE-2022-41973. Local users that are able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This issue occurs because an attacker can repeat a keyword, which is mishandled when arithmetic ADD is used instead of bitwise OR. This could lead to local privilege escalation to root.

oracle-oval логотип

ELSA-2022-8453

oracle-oval
больше 2 лет назад

ELSA-2022-8453: device-mapper-multipath security update (IMPORTANT)

EPSS

Процентиль: 0%
0.00008
Низкий

8.4 High

CVSS3