CVE-2022-2989: 
Podman vulnerability analysis and mitigation

CVE-2022-2989 affects the Podman container engine, where an incorrect handling of supplementary groups might lead to sensitive information disclosure or data modification. The vulnerability was discovered in 2022 and affects the container runtime's handling of group permissions (Bentham's Gaze).

The vulnerability stems from how containers handle primary group duplication. While Linux systems duplicate a user's primary group at login and add it to supplementary groups, container runtimes like Podman do not follow this practice. This omission allows programs running in containers to drop their primary group, potentially bypassing negative group permission restrictions (Bentham's Gaze).

If an attacker has direct access to an affected container where supplementary groups are used to set access permissions and can execute binary code, they could potentially access or modify sensitive information that should be restricted by negative group permissions (Red Hat CVE).

Several mitigation strategies are available: 1) Initialize containers with 'su' command using the '-l' flag to properly set up groups, 2) Manually duplicate groups in /etc/group, 3) Block setuid/setgid programs using Docker's '--security-opt no-new-privileges' flag or Kubernetes' 'allowPrivilegeEscalation=false' setting. The vulnerability has been patched in various versions through security updates (Bentham's Gaze).