CVE-2024-45310 – runc can be confused to create empty files/directories on the host

https://notcve.org/view.php?id=CVE-2024-45310

03 Sep 2024 — runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume c... • https://github.com/opencontainers/runc/commit/63c2908164f3a1daea455bf5bcd8d363d70328c7 • CWE-61: UNIX Symbolic Link (Symlink) Following CWE-363: Race Condition Enabling Link Following •