Improper Privilege Management Affecting kpartx package, versions <0:0.8.4-22.el8_6.2


Severity

Recommended
0.0
high
0
10

Based on AlmaLinux security rating.

Threat Intelligence

EPSS
0.06% (27th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Privilege Management vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-ALMALINUX8-KPARTX-5635451
  • published28 May 2023
  • disclosed25 Oct 2022

Introduced: 25 Oct 2022

CVE-2022-41974  (opens in a new tab)
CWE-269  (opens in a new tab)

How to fix?

Upgrade AlmaLinux:8 kpartx to version 0:0.8.4-22.el8_6.2 or higher.
This issue was patched in ALSA-2022:7192.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kpartx package and not the kpartx package as distributed by AlmaLinux. See How to fix? for AlmaLinux:8 relevant fixed versions and status.

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.

CVSS Scores

version 3.1