CVE-2023-25809 (Medium) detected in github.com/opencontainers/runc-v1.0.3 - autoclosed
mend-bolt-for-github opened this issue · comments
CVE-2023-25809 - Medium Severity Vulnerability
Vulnerable Library - github.com/opencontainers/runc-v1.0.3
CLI tool for spawning and running containers according to the OCI specification
Library home page: https://proxy.golang.org/github.com/opencontainers/runc/@v/v1.0.3.zip
Dependency Hierarchy:
- github.com/docker/docker-v20.10.3-0.20220207145910-4b3471ddc064+incompatible (Root Library)
- ❌ github.com/opencontainers/runc-v1.0.3 (Vulnerable Library)
Found in HEAD commit: b3ac62d12e3d43994ff7ad836e34da801ed665fb
Found in base branch: master
Vulnerability Details
runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes /sys/fs/cgroup
writable in following conditons: 1. when runc is executed inside the user namespace, and the config.json
does not specify the cgroup namespace to be unshared (e.g.., (docker|podman|nerdctl) run --cgroupns=host
, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and /sys
is mounted with rbind, ro
(e.g., runc spec --rootless
; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy /sys/fs/cgroup/user.slice/...
on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace ((docker|podman|nerdctl) run --cgroupns=private)
. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add /sys/fs/cgroup
to maskedPaths
.
Publish Date: 2023-03-29
URL: CVE-2023-25809
CVSS 3 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-25809
Release Date: 2023-03-29
Fix Resolution: v1.1.5
Step up your Open Source Security Game with Mend here
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.