Comment 23 for bug 1910456

@giladreti - so I have taken another look at the CVSS3.1 vector string you referenced above.

The threat in this case would appear to be from a malicious docker image or similar - would you agree? Given this, then I think the vector makes more sense as follows:

Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Changed
Confidentiality: High
Integrity: High
Availability: High

The Attack Vector is from the Network since a malicious image has to be downloaded from dockerhub or similar

The Attack Complexity is Low since a malicious image is relatively easy to create

No special Privileges are Required other than what is normally provided to a docker container

There is no User Interaction required since as you state at some point it is quite likely the systemd will reload services and trigger this without any user interaction.

The Scope is changed since this then allows access to devices from the host system that were not originally part of the container's device cgroup.

C/I/A as High is because from what I can tell the snap.docker.dockerd.service devices cgroup appears to allow access to all devices on the system:

$ sudo cat /sys/fs/cgroup/devices/system.slice/snap.docker.dockerd.service/devices.list
a *:* rwm

And so this would appear to allow the container then to have arbitrary read/write access to any device on the system, including the host filesystem etc.

This would then result in a CVSS 3.1 base score of 10.0

@anonymouse67 and others - does this seem to match with your understanding of the vulnerability as well?