CVE-2022-25328

Published: Feb 25, 2022Modified: Nov 21, 2024

7.3

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.3 / Impact: 5.9

Source: NVD

Description

The bash_completion script for fscrypt allows injection of commands via crafted mountpoint paths, allowing privilege escalation under a specific set of circumstances. A local user who has control over mountpoint paths could potentially escalate their privileges if they create a malicious mountpoint path and if the system administrator happens to be using the fscrypt bash completion script to complete mountpoint paths. We recommend upgrading to version 0.3.3 or above

Affected (1)

Products: Google: Fscrypt

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Google Fscrypt	Before 0.3.3

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

https://github.com/google/fscrypt/pull/346

Source: cve-coordination@google.com

PatchThird Party Advisory

https://github.com/google/fscrypt/pull/346

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.