A flaw was found in CRI-O. The fix for a previous vulnerability (CVE-2022-4318) was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.
Restrict access to users who can create or modify container workloads through appropriate RBAC permissions, apply security controls such as Security Context Constraints (SCCs) to limit privilege escalation, and enforce policies to run containers with reduced privileges (for example, as non-root) to reduce the impact of potential exploitation. Enable SELinux on affected nodes and consider admission controls to prevent potentially unsafe workload configurations.