Runc
CVE-2023-28642
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when /proc inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked /proc. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.
AnalysisAI
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-281. runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when /proc inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked /proc. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image. Affected products include: Linuxfoundation Runc. Version information: version 1.1.5.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Alpine Linux: runc fixed in 1.1.12-r0
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 8.4
runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass beca
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.3
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.3
runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linu
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated medium severity (CVSS 6
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. Rated medium severit
runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. Rated high severity (CVSS 8.5), t
libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a po
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. Rated high severity
Moby is an open-source project created by Docker to enable and accelerate software containerization. Rated medium severi
Same weakness CWE-281 – Improper Preservation of Permissions
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today