CVE-2019-19921

runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that happens to block the attack.)

Weakness

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

Affected Software

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/159.html
• https://cwe.mitre.org/data/definitions/177.html
• https://cwe.mitre.org/data/definitions/48.html
• https://cwe.mitre.org/data/definitions/641.html

References

• http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00018.html
• https://access.redhat.com/errata/RHSA-2020:0688
• https://access.redhat.com/errata/RHSA-2020:0695
• https://github.com/opencontainers/runc/issues/2197
• https://github.com/opencontainers/runc/pull/2190
• https://github.com/opencontainers/runc/releases
• https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ/
• https://security-tracker.debian.org/tracker/CVE-2019-19921
• https://security.gentoo.org/glsa/202003-21
• https://usn.ubuntu.com/4297-1/