CVE-2019-19921

Опубликовано: 12 фев. 2020

Источник: nvd

CVSS3: 7

CVSS2: 4.4

EPSS Низкий

Описание

runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that happens to block the attack.)

Ссылки

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00018.html
Broken Link
Mailing List
Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0688
Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0695
Third Party Advisory
https://github.com/opencontainers/runc/issues/2197
Issue Tracking
Patch
Third Party Advisory
https://github.com/opencontainers/runc/pull/2190
Issue Tracking
Third Party Advisory
https://github.com/opencontainers/runc/releases
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ/
https://security-tracker.debian.org/tracker/CVE-2019-19921
Third Party Advisory
https://security.gentoo.org/glsa/202003-21
Third Party Advisory
https://usn.ubuntu.com/4297-1/
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00018.html
Broken Link
Mailing List
Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0688
Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0695
Third Party Advisory
https://github.com/opencontainers/runc/issues/2197
Issue Tracking
Patch
Third Party Advisory
https://github.com/opencontainers/runc/pull/2190
Issue Tracking
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*

Версия до 0.1.1 (включая)

cpe:2.3:a:linuxfoundation:runc:1.0.0:rc1:*:*:*:*:*:*

cpe:2.3:a:linuxfoundation:runc:1.0.0:rc2:*:*:*:*:*:*

cpe:2.3:a:linuxfoundation:runc:1.0.0:rc3:*:*:*:*:*:*

cpe:2.3:a:linuxfoundation:runc:1.0.0:rc4:*:*:*:*:*:*

cpe:2.3:a:linuxfoundation:runc:1.0.0:rc5:*:*:*:*:*:*

cpe:2.3:a:linuxfoundation:runc:1.0.0:rc6:*:*:*:*:*:*

cpe:2.3:a:linuxfoundation:runc:1.0.0:rc7:*:*:*:*:*:*

cpe:2.3:a:linuxfoundation:runc:1.0.0:rc8:*:*:*:*:*:*

cpe:2.3:a:linuxfoundation:runc:1.0.0:rc9:*:*:*:*:*:*

Конфигурация 2

Одно из

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*

Конфигурация 4

Одно из

cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*

cpe:2.3:a:redhat:openshift_container_platform:4.2:*:*:*:*:*:*:*

EPSS

Процентиль: 48%

0.00244

Низкий

7 High

CVSS3

4.4 Medium

CVSS2

Дефекты

CWE-706

Связанные уязвимости

CVE-2019-19921

CVSS3: 7

ubuntu

больше 5 лет назад

CVE-2019-19921

CVSS3: 7

redhat

больше 5 лет назад

CVE-2019-19921

CVSS3: 7

debian

больше 5 лет назад

runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalat ...

openSUSE-SU-2020:0219-1

suse-cvrf

больше 5 лет назад

Security update for docker-runc

SUSE-SU-2020:0944-1

suse-cvrf

больше 5 лет назад

Security update for runc

EPSS

Процентиль: 48%

0.00244

Низкий

7 High

CVSS3

4.4 Medium

CVSS2

Дефекты

CWE-706