Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mZ3Y4LXZqNWMtMnBwcc0uIA
Incorrect Authorization in runc
runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.
Permalink: https://github.com/advisories/GHSA-fgv8-vj5c-2ppqJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mZ3Y4LXZqNWMtMnBwcc0uIA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-fgv8-vj5c-2ppq, CVE-2019-16884
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-16884
- https://github.com/opencontainers/runc/issues/2128
- https://github.com/opencontainers/runc/pull/2129
- https://github.com/crosbymichael/runc/commit/78dce1cf1ec36bbe7fe6767bdb81f7cbf6d34d70
- https://access.redhat.com/errata/RHSA-2019:3940
- https://access.redhat.com/errata/RHSA-2019:4074
- https://access.redhat.com/errata/RHSA-2019:4269
- https://lists.fedoraproject.org/archives/list/[email protected]/message/62OQ2P7K5YDZ5BRCH2Q6DHUJIHQD3QCD/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/DGK6IV5JGVDXHOXEKJOJWKOVNZLT6MYR/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/SPK4JWP32BUIVDJ3YODZSOEVEW6BHQCF/
- https://security.gentoo.org/glsa/202003-21
- https://security.netapp.com/advisory/ntap-20220221-0004/
- https://usn.ubuntu.com/4297-1/
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00073.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00009.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00010.html
- https://github.com/opencontainers/runc/pull/2130
- https://github.com/opencontainers/runc/commit/cad42f6e0932db0ce08c3a3d9e89e6063ec283e4
- https://github.com/opencontainers/selinux/commit/03b517dc4fd57245b1cf506e8ba7b817b6d309da
- https://pkg.go.dev/vuln/GO-2021-0085
- https://lists.debian.org/debian-lts-announce/2023/02/msg00016.html
- https://github.com/advisories/GHSA-fgv8-vj5c-2ppq
Blast Radius: 33.2
Affected Packages
go:github.com/opencontainers/selinux
Dependent packages: 1,881Dependent repositories: 18,863
Downloads:
Affected Version Ranges: < 1.3.1-0.20190929122143-5215b1806f52
Fixed in: 1.3.1-0.20190929122143-5215b1806f52
All affected versions: 1.0.0, 1.2.1, 1.2.2, 1.3.0
All unaffected versions: 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.10.2, 1.11.0
go:github.com/opencontainers/runc
Dependent packages: 7,425Dependent repositories: 27,022
Downloads:
Affected Version Ranges: < 1.0.0-rc8.0.20190930145003-cad42f6e0932
Fixed in: 1.0.0-rc8.0.20190930145003-cad42f6e0932
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.1.0, 0.1.1, 1.0.0-rc1, 1.0.0-rc2, 1.0.0-rc3, 1.0.0-rc4, 1.0.0-rc5, 1.0.0-rc6, 1.0.0-rc7, 1.0.0-rc8, 1.0.0-rc10
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11