Skip to main content

Runc CVE-2023-28642

HIGH
Improper Preservation of Permissions (CWE-281)
2023-03-29 security-advisories@github.com
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Mar 29, 2023 - 19:15 nvd
HIGH 7.8

DescriptionNVD

runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when /proc inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked /proc. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.

AnalysisAI

runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-281. runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when /proc inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked /proc. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image. Affected products include: Linuxfoundation Runc. Version information: version 1.1.5.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Runc

View all
CVE-2024-21626 HIGH POC
8.6

Alpine Linux: runc fixed in 1.1.12-r0

CVE-2025-52565 HIGH POC
8.4 Nov 06

runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 8.4

CVE-2019-16884 HIGH POC
7.5 Sep 25

runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass beca

CVE-2025-52881 HIGH POC
7.3 Nov 06

runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.3

CVE-2025-31133 HIGH POC
7.3 Nov 06

runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.3

CVE-2023-27561 HIGH POC
7.0 Mar 03

runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linu

CVE-2023-25809 MEDIUM POC
6.3 Mar 29

runc is a CLI tool for spawning and running containers according to the OCI specification. Rated medium severity (CVSS 6

CVE-2021-43784 MEDIUM POC
5.0 Dec 06

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. Rated medium severit

CVE-2021-30465 HIGH
8.5 May 27

runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. Rated high severity (CVSS 8.5), t

CVE-2016-3697 HIGH
7.8 Jun 01

libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a po

CVE-2022-29162 HIGH
7.8 May 17

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. Rated high severity

CVE-2022-24769 MEDIUM
5.9 Mar 24

Moby is an open-source project created by Docker to enable and accelerate software containerization. Rated medium severi

Share

CVE-2023-28642 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy