Fluid Attacks Database

Description

Opencontainers runc Incorrect Authorization vulnerability runc 1.0.0-rc95 through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/opencontainers/runc/libcontainer	>=0 <1.1.5	v1.1.5
debian 11	runc	=1.0.0~rc93+ds1-5 \|\| =1.0.0~rc93+ds1-5+deb11u1 \|\| =1.0.0~rc93+ds1-5+deb11u2 \|\| =1.0.0~rc93+ds1-5+deb11u3 \|\| =1.0.0~rc93+ds1-5+deb11u4 \|\| >=0 <1.0.0~rc93+ds1-5+deb11u5	1.0.0~rc93+ds1-5+deb11u5
debian 12	runc	>=0 <1.1.5+ds1-1	1.1.5+ds1-1
go	github.com/opencontainers/runc	>=1.0.0-rc95 <1.1.5	1.1.5
debian 13	runc	>=0 <1.1.5+ds1-1	1.1.5+ds1-1
debian 14	runc	>=0 <1.1.5+ds1-1	1.1.5+ds1-1
rpm rhel9	runc	<4:1.1.9-1.el9	4:1.1.9-1.el9
rpm rhel7	runc	-	-
rpm rhel8	runc	-	-

Aliases

1. CVE-2023-275612. NVD-2023-275613. OSV-2023-275614. OSV-DEBIAN-2023-275615. GCVE-2023-275616. SECURITY-TRACKER-CVE-2023-275617. lists.debian.org

References