A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/cri-o/cri-o(Go) | 0 | 1.24.0 | N/A |
CVSS Metrics
