It is possible to craft an environment variable with newlines to add entries to /etc/passwd. Using the default SCC prevents the privesc. A malicious user could use a non-default SCC (anyuid, for example) that allows the process to become root on the host.
Created cri-o tracking bugs for this issue: Affects: fedora-all [bug 2155654] Created cri-o:1.21/cri-o tracking bugs for this issue: Affects: epel-8 [bug 2155653]
Created cri-o:1.20/cri-o tracking bugs for this issue: Affects: fedora-36 [bug 2155693] Created cri-o:1.21/cri-o tracking bugs for this issue: Affects: fedora-36 [bug 2155694] Created cri-o:1.22/cri-o tracking bugs for this issue: Affects: fedora-36 [bug 2155695] Created cri-o:1.23/cri-o tracking bugs for this issue: Affects: fedora-36 [bug 2155696] Created cri-o:1.24/cri-o tracking bugs for this issue: Affects: fedora-36 [bug 2155697] Affects: fedora-37 [bug 2155699] Created cri-o:1.25/cri-o tracking bugs for this issue: Affects: fedora-36 [bug 2155698] Affects: fedora-37 [bug 2155700]
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2023:1033 https://access.redhat.com/errata/RHSA-2023:1033
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-4318
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.11 Via RHSA-2023:1503 https://access.redhat.com/errata/RHSA-2023:1503