CVE-2022-3787

CVE Details

Release Date:2023-03-29
Impact:None What is this?

Description


A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, exploited alone or in conjunction with CVE-2022-41973. Local users that are able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This issue occurs because an attacker can repeat a keyword, which is mishandled when arithmetic ADD is used instead of bitwise OR. This could lead to local privilege escalation to root.

See more information about CVE-2022-3787 from MITRE CVE dictionary and NIST NVD


NOTE: The following CVSS metrics and score provided are preliminary and subject to review.


CVSS v3 metrics

Base Score: 7.8
Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.0
Attack Vector: Local
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High

Errata information


PlatformErrataRelease Date
Oracle Linux version 8 (device-mapper-multipath)ELSA-2022-79282022-11-17
Oracle Linux version 9 (device-mapper-multipath)ELSA-2022-84532022-11-24


This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:

software.hardware.complete