CVE-2022-2989
Description
An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Podman incorrectly handles supplementary groups inside containers, allowing information disclosure or data modification by a local attacker with code execution.
Root
Cause
The Podman container engine had an incorrect handling of supplementary groups when setting access permissions inside a container [2]. This flaw could cause the container to apply group-based permissions that differ from the intended security policy, potentially granting unintended access to files or resources.
Exploitation
To exploit this vulnerability, an attacker must have direct access to the affected container and be able to execute arbitrary binary code within it [2]. No special network access or additional authentication is required beyond what is already available in the compromised container.
Impact
A successful exploit could lead to sensitive information disclosure or unauthorized data modification [2]. The attacker might read files that should be restricted based on group membership, or modify data that should be protected, effectively bypassing the intended access controls.
Mitigation
Red Hat has released updated packages for Podman (4.2.0-7) and related tools (e.g., buildah, aardvark-dns) through RHSA-2022:7822, RHSA-2022:8431, and RHSA-2022:8008 [1][3]. Users should update to the fixed versions to remediate this vulnerability.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/containers/podman/v4Go | < 4.2.0 | 4.2.0 |
github.com/containers/podman/v3Go | < 3.0.1 | 3.0.1 |
Affected products
52- Podman/Podmandescription
- ghsa-coords51 versionspkg:golang/github.com/containers/podman/v3pkg:golang/github.com/containers/podman/v4pkg:rpm/almalinux/aardvark-dnspkg:rpm/almalinux/buildahpkg:rpm/almalinux/buildah-testspkg:rpm/almalinux/cockpit-podmanpkg:rpm/almalinux/conmonpkg:rpm/almalinux/containernetworking-pluginspkg:rpm/almalinux/containers-commonpkg:rpm/almalinux/container-selinuxpkg:rpm/almalinux/critpkg:rpm/almalinux/criupkg:rpm/almalinux/criu-develpkg:rpm/almalinux/criu-libspkg:rpm/almalinux/crunpkg:rpm/almalinux/fuse-overlayfspkg:rpm/almalinux/libslirppkg:rpm/almalinux/libslirp-develpkg:rpm/almalinux/netavarkpkg:rpm/almalinux/oci-seccomp-bpf-hookpkg:rpm/almalinux/podmanpkg:rpm/almalinux/podman-catatonitpkg:rpm/almalinux/podman-dockerpkg:rpm/almalinux/podman-gvproxypkg:rpm/almalinux/podman-pluginspkg:rpm/almalinux/podman-remotepkg:rpm/almalinux/podman-testspkg:rpm/almalinux/python3-criupkg:rpm/almalinux/python3-podmanpkg:rpm/almalinux/runcpkg:rpm/almalinux/skopeopkg:rpm/almalinux/skopeo-testspkg:rpm/almalinux/slirp4netnspkg:rpm/almalinux/toolboxpkg:rpm/almalinux/toolbox-testspkg:rpm/almalinux/udicapkg:rpm/opensuse/podman&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/podman&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/podman&distro=openSUSE%20Leap%20Micro%205.2pkg:rpm/opensuse/podman&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/podman&distro=openSUSE%20Tumbleweedpkg:rpm/suse/podman&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/podman&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/podman&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/podman&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/podman&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/podman&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/podman&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP3pkg:rpm/suse/podman&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP4pkg:rpm/suse/podman&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/podman&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3
< 3.0.1+ 50 more
- (no CPE)range: < 3.0.1
- (no CPE)range: < 4.2.0
- (no CPE)range: < 2:1.1.0-5.module_el8.7.0+3344+484dae7b
- (no CPE)range: < 1:1.27.2-2.module_el8.7.0+3348+f3135399
- (no CPE)range: < 1:1.27.2-2.module_el8.7.0+3348+f3135399
- (no CPE)range: < 53-1.module_el8.7.0+3344+484dae7b
- (no CPE)range: < 3:2.1.4-1.module_el8.7.0+3344+484dae7b
- (no CPE)range: < 1:1.1.1-3.module_el8.6.0+3070+1510fbd1
- (no CPE)range: < 2:1-43.module_el8.7.0+3344+484dae7b
- (no CPE)range: < 2:2.189.0-1.module_el8.7.0+3407+95aa0ca9
- (no CPE)range: < 3.15-3.module_el8.6.0+2751+06427ca3
- (no CPE)range: < 3.15-3.module_el8.6.0+2751+06427ca3
- (no CPE)range: < 3.15-3.module_el8.7.0+3407+95aa0ca9
- (no CPE)range: < 3.15-3.module_el8.6.0+2751+06427ca3
- (no CPE)range: < 1.5-1.module_el8.7.0+3407+95aa0ca9
- (no CPE)range: < 1.9-1.module_el8.7.0+3407+95aa0ca9
- (no CPE)range: < 4.4.0-1.module_el8.6.0+2877+8e437bf5
- (no CPE)range: < 4.4.0-1.module_el8.6.0+2877+8e437bf5
- (no CPE)range: < 2:1.1.0-7.module_el8.7.0+3344+484dae7b
- (no CPE)range: < 1.2.6-1.module_el8.6.0+3336+00d107d5
- (no CPE)range: < 3:4.2.0-4.module_el8.7.0+3344+484dae7b
- (no CPE)range: < 3:4.2.0-4.module_el8.7.0+3344+484dae7b
- (no CPE)range: < 3:4.2.0-4.module_el8.7.0+3344+484dae7b
- (no CPE)range: < 3:4.2.0-4.module_el8.7.0+3344+484dae7b
- (no CPE)range: < 3:4.2.0-4.module_el8.7.0+3344+484dae7b
- (no CPE)range: < 3:4.2.0-4.module_el8.7.0+3344+484dae7b
- (no CPE)range: < 3:4.2.0-4.module_el8.7.0+3344+484dae7b
- (no CPE)range: < 3.15-3.module_el8.7.0+3407+95aa0ca9
- (no CPE)range: < 4.2.1-1.module_el8.7.0+3344+484dae7b
- (no CPE)range: < 1:1.1.4-1.module_el8.7.0+3344+484dae7b
- (no CPE)range: < 2:1.9.3-1.module_el8.7.0+3344+484dae7b
- (no CPE)range: < 2:1.9.3-1.module_el8.7.0+3344+484dae7b
- (no CPE)range: < 1.2.0-2.module_el8.6.0+3070+1510fbd1
- (no CPE)range: < 0.0.99.3-0.6.module_el8.6.0+3070+1510fbd1
- (no CPE)range: < 0.0.99.3-0.6.module_el8.6.0+3070+1510fbd1
- (no CPE)range: < 0.2.6-3.module_el8.7.0+3344+484dae7b
- (no CPE)range: < 3.4.7-150300.9.12.1
- (no CPE)range: < 3.4.7-150400.4.6.1
- (no CPE)range: < 3.4.7-150300.9.12.1
- (no CPE)range: < 4.3.1-150400.4.11.1
- (no CPE)range: < 4.3.1-1.1
- (no CPE)range: < 3.4.7-150300.9.12.1
- (no CPE)range: < 4.3.1-150300.9.15.1
- (no CPE)range: < 4.3.1-150300.9.15.1
- (no CPE)range: < 3.4.7-150300.9.12.1
- (no CPE)range: < 3.4.7-150300.9.12.1
- (no CPE)range: < 3.4.7-150400.4.6.1
- (no CPE)range: < 3.4.7-150300.9.12.1
- (no CPE)range: < 3.4.7-150400.4.6.1
- (no CPE)range: < 4.3.1-150300.9.15.1
- (no CPE)range: < 4.3.1-150300.9.15.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- github.com/advisories/GHSA-4wjj-jwc9-2x96ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-2989ghsaADVISORY
- access.redhat.com/errata/RHSA-2022:7822ghsaWEB
- access.redhat.com/errata/RHSA-2022:8008ghsaWEB
- access.redhat.com/errata/RHSA-2022:8431ghsaWEB
- access.redhat.com/security/cve/CVE-2022-2989ghsaWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- github.com/containers/podman/pull/15618ghsaWEB
- github.com/containers/podman/pull/15677ghsaWEB
- github.com/containers/podman/pull/15696ghsaWEB
- www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigationghsaWEB
- www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.