Vulnerable Library - github.com/opencontainers/runc-v1.0.3

CLI tool for spawning and running containers according to the OCI specification

Library home page: https://proxy.golang.org/github.com/opencontainers/runc/@v/v1.0.3.zip

Dependency Hierarchy:

• github.com/docker/docker-v20.10.3-0.20220207145910-4b3471ddc064+incompatible (Root Library)
  • ❌ github.com/opencontainers/runc-v1.0.3 (Vulnerable Library)

Found in HEAD commit: b3ac62d12e3d43994ff7ad836e34da801ed665fb

Found in base branch: master

Vulnerability Details

runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes /sys/fs/cgroup writable in following conditons: 1. when runc is executed inside the user namespace, and the config.json does not specify the cgroup namespace to be unshared (e.g.., (docker|podman|nerdctl) run --cgroupns=host, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and /sys is mounted with rbind, ro (e.g., runc spec --rootless; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy /sys/fs/cgroup/user.slice/... on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace ((docker|podman|nerdctl) run --cgroupns=private). This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add /sys/fs/cgroup to maskedPaths.

Publish Date: 2023-03-29

URL: CVE-2023-25809

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-25809

Release Date: 2023-03-29

Fix Resolution: v1.1.5