CVE-2022-29526: 
cAdvisor vulnerability analysis and mitigation

Go programming language versions before 1.17.10 and 1.18.x before 1.18.2 contain an Incorrect Privilege Assignment vulnerability identified as CVE-2022-29526. The vulnerability was discovered in April 2022 and affects the Faccessat function when called with a non-zero flags parameter, which could incorrectly report that a file is accessible (CVE Mitre, Go Announce).

The vulnerability exists in the syscall.Faccessat function, which is designed to check whether the calling process can access a file. The bug occurs when the function checks a file's group permission bits if the process's user is a member of the process's group rather than checking if the user is a member of the file's group. This incorrect implementation causes Faccessat to usually check a file's group permissions even when the process's user is not a member of the file's group. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (Ubuntu Security, GitHub Issue).

The successful exploitation of this vulnerability could lead to disclosure of sensitive information by allowing unauthorized access to files. The vulnerability affects system availability by potentially granting incorrect access permissions to files (Red Hat CVE, NetApp Security).

The vulnerability has been fixed in Go versions 1.17.10 and 1.18.2. Users are advised to upgrade to these or later versions. The fix involves correcting the group permission check in the Faccessat function to properly verify the file's group membership instead of the process's group membership. For systems that cannot immediately upgrade, there are no known workarounds (Go Announce, Gentoo Security).