NVD Vulnerability Detail

CVE-2022-0358

Summary	A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system.
Publication Date	Aug. 30, 2022, 12:15 a.m.
Registration Date	Aug. 30, 2022, 10 a.m.
Last Update	Nov. 21, 2024, 3:38 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:qemu:qemu::::::::					6.2.0-7

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux:8.0::::advanced_virtualization:::

Related information, measures and tools

No	URL	タグ
1	https://access.redhat.com/security/cve/CVE-2022-0358	Third Party Advisory
2	https://access.redhat.com/security/cve/CVE-2022-0358	Third Party Advisory
3	https://bugzilla.redhat.com/show_bug.cgi?id=2044863	Issue Tracking Patch Third Party Advisory
4	https://bugzilla.redhat.com/show_bug.cgi?id=2044863	Issue Tracking Patch Third Party Advisory
5	https://gitlab.com/qemu-project/qemu/-/commit/449e8171f96a6a944d1f3b7d3627ae059eae21ca	Patch Third Party Advisory
6	https://gitlab.com/qemu-project/qemu/-/commit/449e8171f96a6a944d1f3b7d3627ae059eae21ca	Patch Third Party Advisory
7	https://security.netapp.com/advisory/ntap-20221007-0008/	Third Party Advisory
8	https://security.netapp.com/advisory/ntap-20221007-0008/	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-273	削除された特権に対する不適切なチェック	https://cwe.mitre.org/data/definitions/273.html

JVN Vulnerability Information

Fabrice Bellard の QEMU 他複数ベンダの製品における削除された特権に対する不適切なチェックに関する脆弱性

Title	Fabrice Bellard の QEMU 他複数ベンダの製品における削除された特権に対する不適切なチェックに関する脆弱性
Summary	Fabrice Bellard の QEMU 他複数ベンダの製品には、削除された特権に対する不適切なチェックに関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。
Publication Date	Aug. 29, 2022, midnight
Registration Date	Sept. 29, 2023, 5:08 p.m.
Last Update	Sept. 29, 2023, 5:08 p.m.

Affected System

レッドハット

Red Hat Enterprise Linux 8.0

Fabrice Bellard

QEMU 6.2.0-7 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2022-0358	https://www.cve.org/CVERecord?id=CVE-2022-0358
National Vulnerability Database (NVD)
2	CVE-2022-0358	https://nvd.nist.gov/vuln/detail/CVE-2022-0358

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-273	https://cwe.mitre.org/data/definitions/273.html

その他

No	Name	URL
関連文書
1	access.redhat.com (CVE-2022-0358)	https://access.redhat.com/security/cve/CVE-2022-0358
2	bugzilla.redhat.com (2044863)	https://bugzilla.redhat.com/show_bug.cgi?id=2044863
3	gitlab.com (449e8171f96a6a944d1f3b7d3627ae059eae21ca)	https://gitlab.com/qemu-project/qemu/-/commit/449e8171f96a6a944d1f3b7d3627ae059eae21ca
4	security.netapp.com (ntap-20221007-0008)	https://security.netapp.com/advisory/ntap-20221007-0008/

Change Log

No	Changed Details	Date of change
1	[2023年09月29日] 掲載	Sept. 29, 2023, 5:08 p.m.