CVE-2021-30465

runc: vulnerable to symlink exchange attack

Severity Score

8.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be able to create multiple containers with a fairly specific mount configuration. The problem occurs via a symlink-exchange attack that relies on a race condition.

runc versiones anteriores a 1.0.0-rc95, permite un Container Filesystem Breakout por medio de un Salto de Directorio. Para explotar la vulnerabilidad, un atacante debe ser capaz de crear varios contenedores con una configuración de montaje bastante específica. El problema ocurre por medio de un ataque de intercambio de enlaces simbólicos que se basa en una condición de carrera

The runc package is vulnerable to a symlink exchange attack whereby an attacker can request a seemingly innocuous container configuration that results in the host filesystem being bind-mounted into the container. The highest threat from this vulnerability is to data confidentiality and integrity as well as to system availability.

An update that solves four vulnerabilities and has 13 fixes is now available. This update for containerd, docker, runc fixes the following issues. Docker was updated to 20.10.6-ce Switch version to use -ce suffix rather than _ce to avoid confusing other tools. Fixed a potential privilege escalation when the root user in the remapped namespace has access to the host filesystem. Fixed an issue where pulling a malformed Docker image manifest crashes the dockerd daemon. Btrfs quotas being removed by Docker regularly runc was updated to v1.0.0~rc93. Use the upstream runc package. Fixed /dev/null is not available. Fixed a symlink-exchange attack vulnarability. Containerd was updated to v1.4.4. Fixed a potential information leak through environment variables. Handle a requirement from docker. This update was imported from the SUSE:SLE-15:Update update project.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-04-08 CVE Reserved
2021-05-19 CVE Published
2024-08-03 CVE Updated
2025-06-23 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-59: Improper Link Resolution Before File Access ('Link Following')
CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CAPEC

References (13)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2021/05/19/2	Mailing List
https://bugzilla.opensuse.org/show_bug.cgi?id=1185405	Issue Tracking
https://github.com/opencontainers/runc/releases	Release Notes
https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html	Mailing List
https://security.netapp.com/advisory/ntap-20210708-0003	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/opencontainers/runc/commit/0ca91f44f1664da834bc61115a849b56d22f595f	2023-11-07
https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r	2023-11-07

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35ZW6NBZSBH5PWIT7JU4HXOXGFVDCOHH	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4HOARVIT47RULTTFWAU7XBG4WY6TDDHV	2023-11-07
https://security.gentoo.org/glsa/202107-26	2023-11-07
https://access.redhat.com/security/cve/CVE-2021-30465	2021-06-10
https://bugzilla.redhat.com/show_bug.cgi?id=1954736	2021-06-10
https://access.redhat.com/security/vulnerabilities/RHSB-2021-004	2021-06-10

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				<= 0.1.1 Search vendor "Linuxfoundation" for product "Runc" and version " <= 0.1.1"		-		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc1		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc10		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc2		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc3		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc4		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc5		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc6		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc7		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc8		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc9		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc90		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc91		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc92		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc93		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc94		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				33 Search vendor "Fedoraproject" for product "Fedora" and version "33"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				34 Search vendor "Fedoraproject" for product "Fedora" and version "34"		-		Affected