12 results (0.007 seconds)

CVSS: 8.6EPSS: 5%CPEs: 2EXPL: 13

CVE-2024-21626 – runc container breakout through process.cwd trickery and leaked fds

https://notcve.org/view.php?id=CVE-2024-21626

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. runc es una herramienta CLI para generar y ejecutar contenedores en Linux de acuerdo con la especificación OCI. En runc 1.1.11 y versiones anteriores, debido a una fuga interna de un descriptor de archivo, un atacante podría provocar que un proceso contenedor recién generado (de runc exec) tuviera un directorio de trabajo en el espacio de nombres del sistema de archivos del host, lo que permitiría un escape del contenedor al otorgar acceso. al sistema de archivos del host ("ataque 2"). • https://github.com/NitroCao/CVE-2024-21626 https://github.com/cdxiaodong/CVE-2024-21626 https://github.com/KubernetesBachelor/CVE-2024-21626 https://github.com/Wall1e/CVE-2024-21626-POC https://github.com/V0WKeep3r/CVE-2024-21626-runcPOC https://github.com/zpxlz/CVE-2024-21626-POC https://github.com/zhangguanzhang/CVE-2024-21626 https://github.com/laysakura/CVE-2024-21626-demo https://github.com/Sk3pper/CVE-2024-21626 https://github.com/abian2/CVE-2024-21626 https:// • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-403: Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') CWE-668: Exposure of Resource to Wrong Sphere •

CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 1

CVE-2023-25809 – rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc

https://notcve.org/view.php?id=CVE-2023-25809

runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. • https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17 https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc https://access.redhat.com/security/cve/CVE-2023-25809 https://bugzilla.redhat.com/show_bug.cgi?id=2182884 • CWE-276: Incorrect Default Permissions CWE-281: Improper Preservation of Permissions •

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0

CVE-2023-28642 – AppArmor bypass with symlinked /proc in runc

https://notcve.org/view.php?id=CVE-2023-28642

runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image. • https://github.com/opencontainers/runc/pull/3785 https://github.com/opencontainers/runc/security/advisories/GHSA-g2j6-57v7-gm8c https://access.redhat.com/security/cve/CVE-2023-28642 https://bugzilla.redhat.com/show_bug.cgi?id=2182883 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-281: Improper Preservation of Permissions CWE-305: Authentication Bypass by Primary Weakness •

CVSS: 7.0EPSS: 0%CPEs: 5EXPL: 1

CVE-2023-27561 – runc: volume mount race condition (regression of CVE-2019-19921)

https://notcve.org/view.php?id=CVE-2023-27561

runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression. A flaw was found in runc. An attacker who controls the container image for two containers that share a volume can race volume mounts during container initialization by adding a symlink to the rootfs that points to a directory on the volume. • https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9 https://github.com/opencontainers/runc/issues/2197#issuecomment-1437617334 https://github.com/opencontainers/runc/issues/3751 https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF https://lists.fedoraproject.org • CWE-41: Improper Resolution of Path Equivalence CWE-706: Use of Incorrectly-Resolved Name or Reference •

CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0

CVE-2022-29162 – Incorrect Default Permissions in runc

https://notcve.org/view.php?id=CVE-2022-29162

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. • https://github.com/opencontainers/runc/commit/d04de3a9b72d7a2455c1885fc75eb36d02cd17b5 https://github.com/opencontainers/runc/releases/tag/v1.1.2 https://github.com/opencontainers/runc/security/advisories/GHSA-f3fp-gc8g-vw66 https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVPZBV7ISA7QKRPTC7ZXWKMIQI2HZEBB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D77CKD3AXPMU4PMQIQI5Q74SI4JATNND • CWE-276: Incorrect Default Permissions •