CVE-2023-27561 (High) detected in github.com/opencontainers/runc-v1.0.3 - autoclosed #162
Description
CVE-2023-27561 - High Severity Vulnerability
Vulnerable Library - github.com/opencontainers/runc-v1.0.3
CLI tool for spawning and running containers according to the OCI specification
Library home page: https://proxy.golang.org/github.com/opencontainers/runc/@v/v1.0.3.zip
Dependency Hierarchy:
- github.com/docker/docker-v20.10.3-0.20220207145910-4b3471ddc064+incompatible (Root Library)
- ❌ github.com/opencontainers/runc-v1.0.3 (Vulnerable Library)
Found in HEAD commit: b3ac62d12e3d43994ff7ad836e34da801ed665fb
Found in base branch: master
Vulnerability Details
runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.
Publish Date: 2023-03-03
URL: CVE-2023-27561
CVSS 3 Score Details (7.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Step up your Open Source Security Game with Mend here