CVE-2022-1706: Ignition config accessible to unprivileged software on VMware

May 25, 2022 (updated March 11, 2026)

Unprivileged software in VMware VMs, including software running in unprivileged containers, can retrieve an Ignition config stored in a hypervisor guestinfo variable or OVF environment. If the Ignition config contains secrets, this can result in the compromise of sensitive information.

References

github.com/advisories/GHSA-hj57-j5cw-2mwp
github.com/coreos/ignition
github.com/coreos/ignition/issues/1300
github.com/coreos/ignition/pull/1350
github.com/coreos/ignition/security/advisories/GHSA-hj57-j5cw-2mwp
nvd.nist.gov/vuln/detail/CVE-2022-1706

Code Behaviors & Features

Detect and mitigate CVE-2022-1706 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →