Vulnerability Details CVE-2023-27561
runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 30.1%
CVSS Severity
CVSS v3 Score 7.0
References
- https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9
- https://github.com/opencontainers/runc/issues/2197#issuecomment-1437617334
- https://github.com/opencontainers/runc/issues/3751
- https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ/
- https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9
- https://github.com/opencontainers/runc/issues/2197#issuecomment-1437617334
- https://github.com/opencontainers/runc/issues/3751
- https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ/
- https://security.netapp.com/advisory/ntap-20241206-0004/
Products affected by CVE-2023-27561
-
cpe:2.3:a:linuxfoundation:runc:-
-
cpe:2.3:a:linuxfoundation:runc:0.0.1
-
cpe:2.3:a:linuxfoundation:runc:0.0.2
-
cpe:2.3:a:linuxfoundation:runc:0.0.2.1
-
cpe:2.3:a:linuxfoundation:runc:0.0.3
-
cpe:2.3:a:linuxfoundation:runc:0.0.4
-
cpe:2.3:a:linuxfoundation:runc:0.0.5
-
cpe:2.3:a:linuxfoundation:runc:0.0.6
-
cpe:2.3:a:linuxfoundation:runc:0.0.7
-
cpe:2.3:a:linuxfoundation:runc:0.0.8
-
cpe:2.3:a:linuxfoundation:runc:0.0.9
-
cpe:2.3:a:linuxfoundation:runc:0.1.0
-
cpe:2.3:a:linuxfoundation:runc:0.1.1
-
cpe:2.3:a:linuxfoundation:runc:1.0.0
-
cpe:2.3:a:linuxfoundation:runc:1.0.1
-
cpe:2.3:a:linuxfoundation:runc:1.0.2
-
cpe:2.3:a:linuxfoundation:runc:1.0.3
-
cpe:2.3:a:linuxfoundation:runc:1.1.0
-
cpe:2.3:a:linuxfoundation:runc:1.1.1
-
cpe:2.3:a:linuxfoundation:runc:1.1.2
-
cpe:2.3:a:linuxfoundation:runc:1.1.3
-
cpe:2.3:a:linuxfoundation:runc:1.1.4
-
cpe:2.3:a:redhat:openshift_container_platform:4.0
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:redhat:enterprise_linux:8.0
-
cpe:2.3:o:redhat:enterprise_linux:9.0