CVE IDs have been assigned to the negative-group vulnerability as affecting container runtimes Podman (CVE-2022-2989), Buildah (CVE-2022-2990) and CRI-O (CVE-2022-2995). Why multiple CVE IDs? Because the Open Containers Initiative (OCI) specification didn’t require the vulnerable behaviour, but just was sufficiently ambiguous as to allow it. Consequently the CVE IDs get associated with the vulnerable software and not the specification. https://lnkd.in/djihj-3b #kubernetes #kubernetessecurity #podman #crio #containers #containersecurity #containerd #buildah #docker
